Malware Spread Through GitHub Comments: How Hackers Exploit Repository URLs

By Ava McKinneyOnline Safety

Hackers Use GitHub Comments to Distribute Malware

Security researchers have discovered that hackers are abusing GitHub to spread malware. Attackers are leveraging URLs associated with Microsoft repositories, making malicious files appear trustworthy.

Last week, McAfee experts reported on fake cheat software that was actually a modified version of the Redline infostealer. During their investigation, researchers noticed that the malicious payloads of these fake cheats used URLs linked to Microsoft’s vcpkg GitHub repository:

  • https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
  • https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

Journalists at Bleeping Computer found it odd that a Microsoft repository had been distributing malware since February 2024 without anyone noticing, and they couldn’t find references to these files in the project’s source code.

Upon further investigation, they discovered that the files were not part of vcpkg itself, but had been uploaded as attachments to comments on commits and issues.

How the Exploit Works

When leaving a comment on GitHub, users can attach files. These files are uploaded to GitHub’s CDN and linked to the relevant project via a unique URL in the format:

https://www.github[.]com/{project_user}/{repo_name}/files/{file_id}/{file_name}

For videos and images, the path uses /assets/ instead of /files/.

GitHub automatically generates a download link as soon as a file is attached to a comment, even before the comment is published. This allows hackers to associate their malware with any repository, without the repository owner’s knowledge.

Even if the comment is never published or is deleted immediately after posting, the files remain on GitHub’s CDN and the URLs continue to work.

The repository name still appears in the URL, making the links look legitimate and allowing attackers to create convincing lures. For example, a hacker could upload a malicious executable to Nvidia’s repository for driver installation, disguising it as a new driver update for a popular game. Or, an attacker could upload a file to a comment in the Google Chromium source code and claim it’s a new test build of the browser.

Limited Protection for Repository Owners

Even if a company discovers its repositories are being used to distribute malware, there are no settings to manage files attached to projects. The only way to protect a GitHub account from this abuse is to disable comments, which can only be done temporarily for up to six months.

Sergei Frankoff, a specialist at the automated malware analysis service UNPACME, hosted a Twitch stream about this issue last month and confirmed that attackers are actively exploiting it.

Ongoing Threats and Lack of Response

During their investigation, Bleeping Computer found another repository (httprouter) being used to distribute malware-the same fake cheat, Cheater.Pro.1.6.0.zip, as in the Microsoft repository URLs.

Frankoff also reported discovering a similar campaign in March, using the same LUA-based loader, SmartLoader, disguised as cheat software called Aimmy. According to him, SmartLoader is typically installed alongside other payloads, such as the previously mentioned RedLine stealer.

Bleeping Computer reached out to GitHub and Microsoft about the issue but received no response. Over the past weekend, GitHub removed the malware associated with Microsoft repositories. However, the malicious files linked to httprouter and Aimmy remain available, and their URLs are still active.

Leave a Reply