Hackers abused GitHub comments to push malware using Microsoft repo URLs

GitHub has removed malware linked to Microsoft’s repositories

3 min. read

Published onApril 23, 2024

published onApril 23, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

In recent developments, hackers have been using a GitHub flaw to distribute malware through URLs related to Microsoft repositories, which poses a serious risk to users.

In the initial observation in Microsoft repositories, the exploit can affect any public repository on the platform, which highlights security concerns.

McAfee recently revealed a new malware loader pushed through potentially legit Microsoft GitHub repositories, like STL library and C++ Library Manager for Windows, macOS, and Linux(vcpkg)

The URLs for the malware installers look like they are related to Microsoft repo. However, there is no reference to the files in the project’s source code, which is fishy. Here are the URLs:

Bleeping Computerfurther investigated the issue and found that these files were not included in the official repositories but were uploaded as attachments to comments on issues or commits within the projects.

GitHub lets users attach files to comments, which are uploaded to GitHub’s Content Delivery Network (CDN) and associated with the respective project through unique URLs.

Furthermore, if the comments are not posted or deleted after some time, these files are still accessible through the generated URLs.

This flaw is concerning as it raises questions about the integrity of software distribution via GitHub. Hackers can easily upload malware disguised as legitimate files within comments on popular repositories.

As these URLs are attached to the reputated repository names, users may not suspect them, which could lead to the widespread dissemination of malware across various industries and platforms.

Even though the issue is so serious, GitHub does not have inbuilt settings to manage files added to projects, leaving companies on the platform vulnerable.

Bleeping Computer has alerted Microsoft and GitHub about the flaw, but they have not responded yet. Although GitHub has removed the malware linked to Microsoft’s repositories, the malware related to Aimmy and httprouter is still there.

If you wish to protect your reputation and don’t want your account and repositories being abused, the only way is to disable comments on your project. However, according to theGitHub support document, you can only disable comments for six months at a time.

Also, not allowing users to comment on your project could badly affect the development of the project to report suggestions or bugs.

The incident is a reminder that the open source community and similar platforms should take proactive measures to protect its users from malicious activity.

What do you think about the incident? Share your thoughts with our readers in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Hackers abused GitHub comments to push malware using Microsoft repo URLs#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Hackers abused GitHub comments to push malware using Microsoft repo URLs