GitHub Comments Abused to Push Malware Via Microsoft Repo URLs
fliptop writes:
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories,making the files appear trustworthy:
While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.
Yesterday, McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repositories for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg, and the STL library.
The URLs for the malware installers, shown below, clearly indicate that they belong to the Microsoft repo, but we could not find any reference to the files in the project's source code.
Finding it strange that a Microsoft repo would be distributing malware since February, BleepingComputer looked into it and found that the files are not part of vcpkg but were uploaded as part of a comment left on a commit or issue in the project.
[...] As the file's URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.
For example, a threat actor could upload a malware executable in NVIDIA's driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it's a new test version of the web browser.
Originally spotted on Schneier on Security.
Recently: xz-style Attacks Continue to Target Open-Source Maintainers
Read more of this story at SoylentNews.