Hackers have recently exploited a vulnerability in GitHub and GitLab, allowing them to upload malware disguised as legitimate repositories through phishing links generated from unpublished comments on open source projects.

Description

This social engineering tactic involves attaching malware to trusted projects through comments, enabling the distribution of malware on these platforms [1]. The Redline Stealer Trojan has been distributed through links associated with Microsoft’s GitHub hosted repositories. The comment feature on both GitHub and GitLab has been identified as the source of this vulnerability, where users can attach links in a specific format that can remain active even if the comment is not published [3]. This poses a security risk to users of open source projects [1], as there is currently no feature available for owners to manage files attached to their projects. GitHub is actively investigating this security issue and advises users to follow instructions from project maintainers when downloading software. Developers are urged to carefully inspect links associated with GitHub and other repositories to avoid falling prey to phishing attacks. This method of malware distribution through comments poses a significant challenge for detecting and preventing impersonation and malware attacks on victim companies, as the malware can remain uploaded even if the comment is quickly deleted [2]. Disabling comments is currently the only solution [2], but this may inconvenience legitimate users who rely on the comments section for project feedback and bug reporting [2].

Conclusion

The exploitation of this vulnerability highlights the importance of robust security measures on open source platforms. Mitigations such as careful link inspection and following project maintainers’ instructions are crucial to prevent falling victim to malware attacks. Moving forward, developers and platform owners must work together to address this issue and enhance security features to protect users from malicious activities.

References

[1] https://www.schneier.com/blog/archives/2024/04/using-legitimate-github-urls-for-malware.html
[2] https://www.techradar.com/pro/security/github-malware-spreads-by-hackers-spoofing-microsoft-files
[3] https://www.hostzealot.com/blog/news/gitlab-shares-githubs-vulnerability-to-hosting-malware