GitHub Archives

The Dangers of Malware on GitHub

GitHub, malicious code, malware, Open Source Malware, OphtekGitHub, malicious code, malware, open source malware, OphtekOphtek, LLC

Mar 2024

GitHub is a wildly popular website for developers to create, share, and store their code, but it’s also being increasingly used to spread malware.

Launched in 2008, GitHub quickly became the number one destination for developers. Packed full of features – such as hosting open source code, bug tracking tools, and software requests – GitHub is the perfect one-stop shop for developers looking to collaborate and enhance their software. However, where there’s code, there’s also potential for malware to rear its ugly head. And, in the last few years, GitHub has been exploited by numerous threat actors.

How does GitHub Work?

GitHub is an online repository where developers can come together to pool resources and knowledge to improve their software builds. It may not be something that most of your staff are likely to log on to, but your IT team are likely to use it to manage projects they’re working on. The objective of GitHub is to create a community of friendly developers, but the open membership policy means this doesn’t always go to plan.

Why is GitHub Dangerous?

Threat actors can easily sign up for membership within a matter of minutes, and then they can begin uploading their malicious code under the pretense of being an innocent software project. Quite often, threat actors will sign up with a username previously used by another developer, this is to trick other developers into thinking this is a reputable account. The GitHub community will believe that any repositories uploaded to this account are safe, and they will download them without thinking. And this is when malware can be unknowingly unleashed on unsuspecting networks.

Threat actors are also using GitHub to host command and control servers, which allow attackers to create communication channels into infected devices. Usually, this would be indicated by an unusual domain address in your network traffic. But with GitHub’s credentials being used, this would look less suspicious, especially if you team access GitHub. It’s also convenient, for the threat actors, to use a public service where launching a command control server is much easier than building an infrastructure from scratch.

Finally, GitHub is being used as a storage space for malware, as demonstrated in this fake proof-of-concept software attack. This particular attack allowed the threat actors to exploit a known vulnerability within the Linux operating system, which is commonly used by developers working on GitHub. These attacks can even catch out the security experts, so they underline just how dangerous GitHub can be if you’re not vigilant.

How Can You Work Safely with GitHub?

Threat actors are essentially turning certain parts of GitHub into a malicious website, so it’s crucial you know how to manage this threat. The most effective step you can take is to block access to GitHub on your organization’s network. Your staff are highly unlikely to need to access GitHub anyway, so this makes sense. However, some of your IT staff, and any developers you employ, may still require access to complete their job.

GitHub, of course, isn’t the only legitimate website to be harboring malware. Huge sites such as Dropbox and Google Drive are all capable of delivering malware to unsuspecting members. Therefore, you should only ever download from trusted sources.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Security Experts Targeted by Malware on GitHub

GitHub, Hackers, install updates, malicious websites, malware, Ophtek, POC, proof of conceptGitHub, hackers, malware, Ophtek, POC, security, updates, vulnerabilityOphtek, LLC

Sep 2023

It’s always important to be cautious online, but it’s easy for people to fall victim to malware. Even security experts can fall for the tricks of hackers.

Yes, even those skilled and highly experienced security researchers can find themselves on the receiving end of malware. The most recent piece of evidence for this phenomena is an attack which is as brazen as it is powerful. It revolves around a piece of bait left, by threat actors, on GitHub, an online repository for developers to store and share their code. And it was a piece of code, disguised as a highly tempting piece of software for a security expert, which led to many of these professionals being left embarrassed.

How Were the Experts Fooled?

The GitHub attack involved a piece of software being made available which claimed to be a proof-of-concept (POC). Typically, a POC is a demonstration of a software project, and is used to determine how feasible the project is and the potential of its long-term success. For a security researcher, a POC is a useful way to test for security vulnerabilities, and this is why they are frequently downloaded and analyzed.

However, this specific ‘POC’ proved to be little more than malware in disguise. Within the fake POC structure was a malware downloader, which was used to download malware and set off a chain of malicious events. Once the malware was downloaded, it began by executing a Linux script to automate specific commands. This allowed the threat actors to start stealing data, which was automatically downloaded to a remote location, by scraping the entire directory of the infected PC.

The fake POC also allowed the threat actors to gain full access to any of the infected systems. This was achieved by adding their secure shell (a protocol for operating network services) to the authorized keys file on the infected system. All of this was made possible, for the threat actors, due to a vulnerability – known as CVE-2023-35829 – discovered in the Linux operating system, an OS usually used by software developers.

Avoid the Mistakes of the Experts

You may be thinking that, if a security expert can fall victim to malware, what hope do you have in the face of targeted attacks? However, as we know, nobody is 100% immune from the efforts of threat actors, and this includes security researchers. As ever, vigilance is key to maintaining the security of your IT infrastructure:

Always update: the surest way to minimize the risk of your PC being infected is to always install updates. No piece of software, due to the sheer amount of coding involved, is going to be free from mistakes. However, developers are keen to patch these mistakes as soon as they are aware of them, hence the issuing of security patches. Therefore, it makes sense to install these as soon as they are available.

Be wary of malicious websites: while GitHub is far from malicious, the people using it often are. This means you should always do some research on what you’re downloading and who you’re downloading it from. So, for example, try Googling the username of whoever is offering you a download, and see whether there are any trustworthy results or otherwise. Alternatively, ask an IT professional to take a look and assess the risk – contrary to the GitHub attack, they can usually spot malware from a mile away.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: GitHub