Video wird geladen...

Video konnte nicht geladen werden

Zur Startseite

Weeks later... GitHub bug still dropping malware 👌

herrcore's profile picture

herrcore

15,060 subscribers

92,643 Aufrufe • vor 2 Jahren •via X (Twitter)

LIVE

Anya Rossi• Live Now

Private livecam show

10 Kommentare

Profilbild von Bret Comnes
Bret Comnesvor 2 Jahren

It doesn't end up "in the repo". It ends up in githubs image hosting backend thats associated with the repo.

Profilbild von herrcore
herrcorevor 2 Jahren

Ah yeh maybe it's not clear in the clip, I'll just drop the full details below for clarity. Unlike the version control system "git", GitHub has many additional features, wiki, release, etc. all of them organized by "repository". One of the key GitHub features used by developers is the concept of a release, where compiled/bundled software "assets" can be downloaded from the repository. The typical assets download path follows. <github user>/<github repo>/releases/download/<assets> This bug/feature allows arbitrary uploads to the following paths on any <github repo>. <github user>/<github repo>/assets/<file> <github user>/<github repo>/files/<file> These paths are confusingly similar so what attackers have been doing is uploading malware in .ZIP files that look like release assets to large open source repositories. They then share the links as though they are the legit release links for the repository. It looks like GitHub did attempt to somewhat mitigate this by restricting the file types that can be uploaded, but they still allow .ZIP files which are often used for releases so the deception in the attack still works. Full attack which is still live is detailed here

Profilbild von Dennis Griffin
Dennis Griffinvor 2 Jahren

I mean, it's clearly an s3 bucket, not the repo. Look at the URL after the redirect. Is it wierd? Yes Unexpected? Probably Dangerous? Potentially "In the repo"? Definitely not

Profilbild von herrcore
herrcorevor 2 Jahren

Scroll down I already explained in detail

Profilbild von Robert Yates
Robert Yatesvor 2 Jahren

mimikatz 🤣🤣🤣🤣 instant regret

Profilbild von Parth Prajapati
Parth Prajapativor 2 Jahren

I've been using this vulnerability to use Github's CDN for uploading images for my blog. I create an issue on my own repo and upload images and close the issue. I get nice free CDN.

Profilbild von smallshen
smallshenvor 2 Jahren

I’ve found that last year, I ran my detection algorithm across nearly half million GitHub account and automatically detect malware related accounts. I contacted GitHub support say I can help, I shared them a google doc with details and updated list, they do shit and leave me.

Profilbild von Richard ⨻
Richard ⨻vor 2 Jahren

@jedisct1 It always surprised me how little we see spam on GitHub considering how relaxed the content moderation is

Profilbild von The Cyber Post
The Cyber Postvor 2 Jahren

Awesome find this is a really neat hack / workaround for phishing and or deriving payloads to people for sure dangerous esp around crypto stuff.

Profilbild von NiteLite
NiteLitevor 2 Jahren

How do you fix this without breaking millions of links all over?

Ähnliche Videos

Chinese rj45 USB adapter malware??? Our line-by-line code analysis of the "malware" and a reasonable explanation for its strange delivery (part 1)
42:41

Chinese rj45 USB adapter malware??? Our line-by-line code analysis of the "malware" and a reasonable explanation for its strange delivery (part 1)

herrcore

28,722 Aufrufe • vor 1 Jahr

Automated AI Malware Reverse Engineering with MCPs for IDA and Ghidra Full VIBE RE livestream 🏝️
1:31:36

Automated AI Malware Reverse Engineering with MCPs for IDA and Ghidra Full VIBE RE livestream 🏝️

herrcore

26,362 Aufrufe • vor 1 Jahr

Who said anything about dropping belts two weeks later????
0:59

Who said anything about dropping belts two weeks later????

𝑎𝑗

61,016 Aufrufe • vor 7 Monaten

Weeks later, this is STILL incredibly awkward Mikie Sherrill
2:05

Weeks later, this is STILL incredibly awkward Mikie Sherrill

Jack Ciattarelli

34,964 Aufrufe • vor 11 Monaten

4 weeks later and i’m still completely obsessed with his voice
1:07

4 weeks later and i’m still completely obsessed with his voice

𓆰bryn𓆪 🍓💪

36,920 Aufrufe • vor 6 Tagen

She ended him so bad he’s STILL talking about it weeks later
0:22

She ended him so bad he’s STILL talking about it weeks later

mini⁷ ✿

110,052 Aufrufe • vor 22 Tagen

Two weeks later, I’m still here and don’t want to move !! 🏆🥹
0:40

Two weeks later, I’m still here and don’t want to move !! 🏆🥹

Yo Yo Funny Singh

341,322 Aufrufe • vor 1 Jahr

Lil Wayne - Blowing Up Fast (2005) 20 years later and he’s still dropping heat🐐
0:33

Lil Wayne - Blowing Up Fast (2005) 20 years later and he’s still dropping heat🐐

liltunechi_classics on IG

39,346 Aufrufe • vor 1 Jahr

20 years later, Bad BOBI WINE’s freestyle game is still unmatched 👌 #ZzinaLifeStyle
0:27

20 years later, Bad BOBI WINE’s freestyle game is still unmatched 👌 #ZzinaLifeStyle

100.2 Galaxy FM Zzina!

73,312 Aufrufe • vor 1 Jahr

Almost a year later and bro the Nur Khan airbase strikes are still dropping new angles 💀
0:25

Almost a year later and bro the Nur Khan airbase strikes are still dropping new angles 💀

Victorforce

32,106 Aufrufe • vor 2 Monaten

3 weeks later , I'm still watching NFL Draft phone call videos. My happy place. Here's Jalen Huskey, pick 100.
0:36

3 weeks later , I'm still watching NFL Draft phone call videos. My happy place. Here's Jalen Huskey, pick 100.

Peter Schrager

75,079 Aufrufe • vor 23 Tagen

fixed sprint bug thank god 🙏 but still one more bug! Hogman Fortnite Status
1:06

fixed sprint bug thank god 🙏 but still one more bug! Hogman Fortnite Status

cooper

175,239 Aufrufe • vor 6 Monaten

Several Weeks Later
0:51

Several Weeks Later

Mary L Trump

17,249 Aufrufe • vor 1 Monat

VERY excited for 28 Years Later. I still think about the opening of 28 Weeks Later regularly; terrifying, tragic, and nasty. Best zombie sequence ever, for my money.
2:20

VERY excited for 28 Years Later. I still think about the opening of 28 Weeks Later regularly; terrifying, tragic, and nasty. Best zombie sequence ever, for my money.

Cameron Frew

3,109,871 Aufrufe • vor 1 Jahr

PentestAgent: An AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows GitHub:
1:00

PentestAgent: An AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows GitHub:

Dark Web Informer

15,659 Aufrufe • vor 5 Monaten

What started as a late-night idea turned into npmx: a fast, modern browser for the npm registry. Two weeks later? Over 1,000 contributions. 👀 Here's the story on this (overnight?) open source success. ▶️
1:03

What started as a late-night idea turned into npmx: a fast, modern browser for the npm registry. Two weeks later? Over 1,000 contributions. 👀 Here's the story on this (overnight?) open source success. ▶️

GitHub

45,624 Aufrufe • vor 2 Monaten

Today we released a new stable version of DRAKVUF Sandbox v0.19.0 🎉– a project that leverages the DRAKVUF system for agentless malware analysis. Detailed release notes can be found on our Github:
0:24

Today we released a new stable version of DRAKVUF Sandbox v0.19.0 🎉– a project that leverages the DRAKVUF system for agentless malware analysis. Detailed release notes can be found on our Github:

CERT Polska

10,519 Aufrufe • vor 10 Monaten

Two weeks later: 🤣🤣
1:18

Two weeks later: 🤣🤣

Man of Letters.

46,831 Aufrufe • vor 26 Tagen

I built ./SECORA : Bug Bounty Hunter's Terminal With SECORA, you don't have to open multiple pane in your terminal to run bug bounty automation tools, it helps you run multiple tools at the same time !!! Github :
2:06

I built ./SECORA : Bug Bounty Hunter's Terminal With SECORA, you don't have to open multiple pane in your terminal to run bug bounty automation tools, it helps you run multiple tools at the same time !!! Github :

Gospel

29,979 Aufrufe • vor 1 Jahr