HomeWinBuzzer NewsCybercriminals Exploit GitHub Comments to Spread Malicious Software

Cybercriminals Exploit GitHub Comments to Spread Malicious Software

Hackers use GitHub comments to hide malware disguised as legit files. Links look safe due to repository names.


Microsoft-owned code repository GitHub has become the latest battleground in . Malicious actors have ingeniously exploited the platform's file upload feature within comments to host and distribute malware. This method leverages automatically generated download links that misleadingly appear to be associated with legitimate repositories and their owners, creating a false sense of security among potential victims.

The Mechanism of Exploitation

At the heart of this issue is 's comment feature, which allows users to upload files that are then stored on GitHub's servers. The platform creates access links to these files in real-time, embedding them within the comments. What makes this method particularly insidious is that the user doesn't need to post the comment for the file to be uploaded and its URL generated. These URLs include the name of the repository and its owner, which can easily mislead individuals into believing they are accessing legitimate files from trusted sources.

The Response and Remediation Efforts

In response to the findings reported by Bleeping Computer, GitHub has taken action by removing the malware that falsely appeared to be affiliated with . However, it's reported that other malware campaigns leveraging this tactic remain accessible. As of now, GitHub has not publicly commented on any plans to alter this file upload logic to prevent future abuse. The only immediate remedy for developers wanting to protect their repositories from being implicated in such malicious campaigns is to disable comments, a measure that significantly hampers the collaborative nature of the platform.

Just last month, GitHub sent out a new security tool driven by AI. Known as Code Scanning Autofix, which is currently in public beta and is automatically activated for all private repositories held by customers of GitHub Advanced Security (GHAS). Leveraging the capabilities of GitHub Copilot and CodeQL, this AI-powered tool is proficient in handling more than 90% of alert types across several programming languages, including JavaScript, TypeScript, Java, and Python.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News