Loading video...

Video Failed to Load

Go Home

Weeks later... GitHub bug still dropping malware ๐Ÿ‘Œ

herrcore's profile picture

herrcore

15,060 subscribers

92,643 views โ€ข 2 years ago โ€ขvia X (Twitter)

LIVE

Anya Rossiโ€ข Live Now

Private livecam show

10 Comments

Bret Comnes's profile picture
Bret Comnes2 years ago

It doesn't end up "in the repo". It ends up in githubs image hosting backend thats associated with the repo.

herrcore's profile picture
herrcore2 years ago

Ah yeh maybe it's not clear in the clip, I'll just drop the full details below for clarity. Unlike the version control system "git", GitHub has many additional features, wiki, release, etc. all of them organized by "repository". One of the key GitHub features used by developers is the concept of a release, where compiled/bundled software "assets" can be downloaded from the repository. The typical assets download path follows. <github user>/<github repo>/releases/download/<assets> This bug/feature allows arbitrary uploads to the following paths on any <github repo>. <github user>/<github repo>/assets/<file> <github user>/<github repo>/files/<file> These paths are confusingly similar so what attackers have been doing is uploading malware in .ZIP files that look like release assets to large open source repositories. They then share the links as though they are the legit release links for the repository. It looks like GitHub did attempt to somewhat mitigate this by restricting the file types that can be uploaded, but they still allow .ZIP files which are often used for releases so the deception in the attack still works. Full attack which is still live is detailed here

Dennis Griffin's profile picture
Dennis Griffin2 years ago

I mean, it's clearly an s3 bucket, not the repo. Look at the URL after the redirect. Is it wierd? Yes Unexpected? Probably Dangerous? Potentially "In the repo"? Definitely not

herrcore's profile picture
herrcore2 years ago

Scroll down I already explained in detail

Robert Yates's profile picture
Robert Yates2 years ago

mimikatz ๐Ÿคฃ๐Ÿคฃ๐Ÿคฃ๐Ÿคฃ instant regret

Parth Prajapati's profile picture
Parth Prajapati2 years ago

I've been using this vulnerability to use Github's CDN for uploading images for my blog. I create an issue on my own repo and upload images and close the issue. I get nice free CDN.

smallshen's profile picture
smallshen2 years ago

Iโ€™ve found that last year, I ran my detection algorithm across nearly half million GitHub account and automatically detect malware related accounts. I contacted GitHub support say I can help, I shared them a google doc with details and updated list, they do shit and leave me.

Richard โจป's profile picture
Richard โจป2 years ago

@jedisct1 It always surprised me how little we see spam on GitHub considering how relaxed the content moderation is

The Cyber Post's profile picture
The Cyber Post2 years ago

Awesome find this is a really neat hack / workaround for phishing and or deriving payloads to people for sure dangerous esp around crypto stuff.

NiteLite's profile picture
NiteLite2 years ago

How do you fix this without breaking millions of links all over?

Related Videos

Chinese rj45 USB adapter malware??? Our line-by-line code analysis of the "malware" and a reasonable explanation for its strange delivery (part 1)
42:41

Chinese rj45 USB adapter malware??? Our line-by-line code analysis of the "malware" and a reasonable explanation for its strange delivery (part 1)

herrcore

28,722 views โ€ข 1 year ago

Automated AI Malware Reverse Engineering with MCPs for IDA and Ghidra Full VIBE RE livestream ๐Ÿ๏ธ
1:31:36

Automated AI Malware Reverse Engineering with MCPs for IDA and Ghidra Full VIBE RE livestream ๐Ÿ๏ธ

herrcore

26,362 views โ€ข 1 year ago

Who said anything about dropping belts two weeks later????
0:59

Who said anything about dropping belts two weeks later????

๐‘Ž๐‘—

61,016 views โ€ข 7 months ago

Weeks later, this is STILL incredibly awkward Mikie Sherrill
2:05

Weeks later, this is STILL incredibly awkward Mikie Sherrill

Jack Ciattarelli

34,964 views โ€ข 11 months ago

4 weeks later and iโ€™m still completely obsessed with his voice
1:07

4 weeks later and iโ€™m still completely obsessed with his voice

๐“†ฐbryn๐“†ช ๐Ÿ“๐Ÿ’ช

36,920 views โ€ข 6 days ago

She ended him so bad heโ€™s STILL talking about it weeks later
0:22

She ended him so bad heโ€™s STILL talking about it weeks later

miniโท โœฟ

110,052 views โ€ข 22 days ago

Two weeks later, Iโ€™m still here and donโ€™t want to move !! ๐Ÿ†๐Ÿฅน
0:40

Two weeks later, Iโ€™m still here and donโ€™t want to move !! ๐Ÿ†๐Ÿฅน

Yo Yo Funny Singh

341,322 views โ€ข 1 year ago

Lil Wayne - Blowing Up Fast (2005) 20 years later and heโ€™s still dropping heat๐Ÿ
0:33

Lil Wayne - Blowing Up Fast (2005) 20 years later and heโ€™s still dropping heat๐Ÿ

liltunechi_classics on IG

39,346 views โ€ข 1 year ago

20 years later, Bad BOBI WINEโ€™s freestyle game is still unmatched ๐Ÿ‘Œ #ZzinaLifeStyle
0:27

20 years later, Bad BOBI WINEโ€™s freestyle game is still unmatched ๐Ÿ‘Œ #ZzinaLifeStyle

100.2 Galaxy FM Zzina!

73,312 views โ€ข 1 year ago

Almost a year later and bro the Nur Khan airbase strikes are still dropping new angles ๐Ÿ’€
0:25

Almost a year later and bro the Nur Khan airbase strikes are still dropping new angles ๐Ÿ’€

Victorforce

32,106 views โ€ข 2 months ago

3 weeks later , I'm still watching NFL Draft phone call videos. My happy place. Here's Jalen Huskey, pick 100.
0:36

3 weeks later , I'm still watching NFL Draft phone call videos. My happy place. Here's Jalen Huskey, pick 100.

Peter Schrager

75,079 views โ€ข 24 days ago

fixed sprint bug thank god ๐Ÿ™ but still one more bug! Hogman Fortnite Status
1:06

fixed sprint bug thank god ๐Ÿ™ but still one more bug! Hogman Fortnite Status

cooper

175,239 views โ€ข 6 months ago

Several Weeks Later
0:51

Several Weeks Later

Mary L Trump

17,249 views โ€ข 1 month ago

VERY excited for 28 Years Later. I still think about the opening of 28 Weeks Later regularly; terrifying, tragic, and nasty. Best zombie sequence ever, for my money.
2:20

VERY excited for 28 Years Later. I still think about the opening of 28 Weeks Later regularly; terrifying, tragic, and nasty. Best zombie sequence ever, for my money.

Cameron Frew

3,109,871 views โ€ข 1 year ago

PentestAgent: An AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows GitHub:
1:00

PentestAgent: An AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows GitHub:

Dark Web Informer

15,659 views โ€ข 5 months ago

What started as a late-night idea turned into npmx: a fast, modern browser for the npm registry. Two weeks later? Over 1,000 contributions. ๐Ÿ‘€ Here's the story on this (overnight?) open source success. โ–ถ๏ธ
1:03

What started as a late-night idea turned into npmx: a fast, modern browser for the npm registry. Two weeks later? Over 1,000 contributions. ๐Ÿ‘€ Here's the story on this (overnight?) open source success. โ–ถ๏ธ

GitHub

45,624 views โ€ข 2 months ago

Today we released a new stable version of DRAKVUF Sandbox v0.19.0 ๐ŸŽ‰โ€“ a project that leverages the DRAKVUF system for agentless malware analysis. Detailed release notes can be found on our Github:
0:24

Today we released a new stable version of DRAKVUF Sandbox v0.19.0 ๐ŸŽ‰โ€“ a project that leverages the DRAKVUF system for agentless malware analysis. Detailed release notes can be found on our Github:

CERT Polska

10,519 views โ€ข 10 months ago

Two weeks later: ๐Ÿคฃ๐Ÿคฃ
1:18

Two weeks later: ๐Ÿคฃ๐Ÿคฃ

Man of Letters.

46,831 views โ€ข 27 days ago

I built ./SECORA : Bug Bounty Hunter's Terminal With SECORA, you don't have to open multiple pane in your terminal to run bug bounty automation tools, it helps you run multiple tools at the same time !!! Github :
2:06

I built ./SECORA : Bug Bounty Hunter's Terminal With SECORA, you don't have to open multiple pane in your terminal to run bug bounty automation tools, it helps you run multiple tools at the same time !!! Github :

Gospel

29,979 views โ€ข 1 year ago