GitHub Comments Abused to Spread Malware in Fake Microsoft Repositories

McAfee cybersecurity researchers have discovered a malicious scheme exploiting GitHub’s comment section, where threat actors host malware and disguise download links as legitimate Microsoft repositories. 

This incident reminds me of a similar event that occurred in June 2027, during which Russian hackers exploited the comment section of Britney Spears’ Instagram profile to host malware.

According to McAfee, cybercriminals have been exploiting GitHub’s file upload logic since February 2024 to host and distribute malware through automatically generated download links containing the repository owner’s name and ownership details.

These repositories contain password-stealing malware disguised as seemingly innocuous files.  More troubling, the repositories also included comments with download links crafted to mimic official Microsoft software repository URLs.

Screenshot: McAfee

GitHub’s comment feature stores files on its servers, creating real-time access links to them. This can trick potential victims into thinking they are clicking on a link from a trusted developer.  Users don’t need to send comments or bug reports as the file is already uploaded and available. 

What to do About it?

GitHub’s CDN files remain unchanged even after comments are posted or deleted, and downloaded URLs keep functioning. This issue allows threat actors to create sophisticated lures, as most software companies use GitHub and the file URL contains the repository name. 

Unfortunately, the only available solution is to disable comments, but this leads to more issues as legitimate users often report bugs or provide quality suggestions, and comments can only be disabled for up to six months at a time.

Why This Matters:

This deceptive tactic leverages the trusted nature of both GitHub and Microsoft. Users visiting these repositories might be tricked into downloading malware, believing they are getting legitimate Microsoft software.

This could have serious consequences, as downloaded malware could steal user credentials, compromise systems, steal browsing data and crypto funds or launch further attacks.

However, the good news is that according to Bleeping Computer, GitHub has removed the malware associated with Microsoft’s repositories.

How to Protect Yourself?

To protect yourself, download software directly from the developer’s official website, avoid clicking on links in comments or third-party websites, verify file hashes, and use a robust security solution with real-time malware scanning. If unsure about a download link, visit the official Microsoft website to ensure system safety.

Cyber Intelligence Team Manager at Cofense, Max Gannon, commented on the issue stating, “This is a very clever tactic for threat actors to take advantage of, especially because GitHub has provided no way for companies to mitigate the threat.“

“The only thing that can be done is for individuals to exercise caution when clicking any link, regardless of where it appears to go or who it appears to be from,“ For example, if you stopped and thought about it, a .zip file containing cheat software is not likely to be directly hosted on a Microsoft repository,“ Max explained.

RELATED TOPICS