Malware lurking in “official” GitHub and GitLab links

Can you catch malware by downloading files from Microsoft’s repositories on GitHub? Turns out, you can. Stay alert!

How to protect yourself from phishing and malware on GitHub and GitLab

One of the oldest security tips is: “Only download software from official sources”. “Official sources” are usually the main app stores on each platform, but for millions of useful and free open-source apps, the most “official” source is the developer’s repository on a dedicated site such as GitHub or GitLab. There, you can find the project’s source code, fixes and additions to the code, and often a ready-to-use build of the app. These sites are familiar to anyone with even the slightest interest in computers, software, and programming. That’s why it was an unpleasant discovery for many (including IT security specialists and the developers themselves) that a file accessible at a link like github{.}com/{User_Name}/{Repo_Name}/files/{file_Id}/{file_name} could be published by someone other than the developer and contain… anything.

Of course, cybercriminals immediately took advantage of this.

Breaking down the problem

GitHub and its close relative GitLab are built around collaboration on software development projects. A developer can upload their code, and others can offer additions, fixes, or even create forks – alternative versions of the app or library. If a user finds a bug in an app, they can report it to the developer by creating an issue report. Other users can confirm the issue in the comments. You can also comment on new versions of the app. If necessary, you can attach files to the comments, such as screenshots showing the error or documents that crash the application. These files are stored on GitHub servers using links of the type described above.

However, GitHub has one peculiarity: if a user prepares a comment and uploads accompanying files, but doesn’t click “Publish”, the information remains “stuck” in the draft – and it’s invisible to both the application owner and other GitHub users. Nevertheless, a direct link to the file uploaded in the comment is created and fully operational, and anyone who follows it will receive the file from GitHub’s CDN.

A download link for a malicious file is generated after the file is added to an unpublished comment on GitHub

A download link for a malicious file is generated after the file is added to an unpublished comment on GitHub

Meanwhile, the owners of the repository where this file is posted in the comments cannot delete or block it. They don’t even know about it! There are also no settings to restrict the upload of such files for the repository as a whole. The only solution is to disable comments completely (on GitHub, you can do this for up to six months), but that would deprive developers of feedback.

GitLab’s commenting mechanism is similar, allowing files to be published via draft comments. The files are accessible via a link like{User_Name}/{Repo_Name}/uploads/{file_Id}/{file_name}.

However, the problem in this case is mitigated somewhat by the fact that only registered, logged-in GitLab users can upload files.

A gift for phishing campaigns

Thanks to the ability to publish arbitrary files at links starting with GitHub/GitLab and containing the names of respected developers and popular projects (because an unpublished comment with a file can be left in almost any repository), cybercriminals are presented with the opportunity to carry out very convincing phishing attacks. Malicious campaigns have already been discovered where “comments”, supposedly containing cheating apps for games, are left in Microsoft repositories.

A vigilant user might wonder why a gaming cheat would be in the Microsoft repository: https://github{.}com/microsoft/vcpkg/files/…../ But it’s much more likely that the keywords “GitHub” and “Microsoft” will reassure the victim, who won’t scrutinize the link any further. Smarter criminals might disguise their malware even more carefully, for example, by presenting it as a new version of an app distributed through GitHub or GitLab and posting links via “comments” on that app.

How to protect yourself from malicious content on GitHub and GitLab

While this design flaw remains unfixed and anyone can freely upload arbitrary files to the CDN of GitHub and GitLab, users of these platforms need to be extremely careful.

  • Do not download files from direct GitHub/GitLab links that you find in external sources – other websites, emails, or chats. Instead, open the project page (github{.}com/{User_Name}/{Repo_Name} or gitlab{.}com/{User_Name}/{Repo_Name}) and make sure that you can actually download the file from there. Official files from developers should be published and visible in the repository.
  • Make sure you’re on the right developer page – in GitHub, GitLab, and other open-source repositories, typosquatting is common: creating fake projects with names that differ from the original by one or two letters (for example, Chaddev instead of Chatdev).
  • Avoid downloading applications that have few stars (likes) and have been created recently.
  • Use protection against malware and phishing on all your computers and smartphones. Kaspersky Premium provides comprehensive protection for gamers and computer enthusiasts.