GitHub Flaw Could Allow Threat Actors to Distribute Malware on GitLab

A GitHub content delivery network (CDN) flaw abused by hackers to host and distribute malware could be exploited similarly on GitLab.

The vulnerability weaponizes URLs associated with Microsoft repositories to obfuscate malicious content and make it appear safe.

Microsoft GitHub URLs Weaponized in Comment Exploit

As BleepingComputer reported, most hosted rogue files revolved around Microsoft GitHub URLs. However, threat actors could use the exploit in conjunction with any other public GitHub or GitLab repository to trick unsuspecting victims into accessing the malicious content.

The principle behind this exploit is that GitHub comments can be used to push malware using GitHub’s CDN. Whenever someone leaves a comment on a pull request or commit, they can also attach a file, which gets uploaded to GitHub’s CDN and automatically associated with the related project.

Poisoning GitHub Comments with Malicious Attachments

In other words, appending a file to a comment on any repository will generate a URL, including the name of the repository, making it seem like the file is associated with it. If the repository is a trusted one, it could trick users into believing that the file is directly hosted within the repository, dodging suspicions of foul play.

To make matters worse, the comment doesn’t necessarily need to be posted for the link to be generated, as GitHub automatically creates the link whenever the file is uploaded, following this format:

https://www.github[.]com/{project_user}/{repo_name}/files/{file_id}/{file_name}

Thus, threat actors could exploit this shortcoming by creating comment drafts in popular, trusted repositories, extracting the unique generated URLs, and sharing them on other platforms. Even if the comment is posted and then deleted, the link to the file remains available.

GitLab Comments Prone to Being Poisoned the Same Way

As it turns out, GitLab is also affected by this issue, as its “comments” feature can be exploited in a similar fashion. Attaching files to comments on popular repositories generates a link that makes it appear that the document belongs to the repository.

Unlike GitHub, GitLab requires authentication to upload or download files, but simply creating an account could dodge this simplistic limitation. To add insult to injury, developers seem to have no way to manage or delete files that were maliciously attached to their projects through these poisoned comments.

Caution is Advised, but Using Security Software is Better

So far, neither affected party has addressed the situation. Caution is advised whenever downloading content that appears to originate from either GitHub or GitLab, especially using links found on third-party websites. Downloading files straight from the repository is your safest bet. Dedicated security software can help thwart threat actors’ attempts to compromise your security through poisoned links or other malicious means.

Bitdefender Ultimate Security can protect you from viruses, worms, spyware, Trojans, rootkits, zero-day exploits, ransomware, and other intrusions. It also encompasses advanced features such as network threat prevention that detects and blocks suspicious URLs and an advanced threat defense module that monitors active apps and blocks suspicious activities.