Weeks later... GitHub bug still dropping malware 👌

It doesn't end up "in the repo". It ends up in githubs image hosting backend thats associated with the repo.

Ah yeh maybe it's not clear in the clip, I'll just drop the full details below for clarity. Unlike the version control system "git", GitHub has many additional features, wiki, release, etc. all of them organized by "repository". One of the key GitHub features used by developers is the concept of a release, where compiled/bundled software "assets" can be downloaded from the repository. The typical assets download path follows. <github user>/<github repo>/releases/download/<assets> This bug/feature allows arbitrary uploads to the following paths on any <github repo>. <github user>/<github repo>/assets/<file> <github user>/<github repo>/files/<file> These paths are confusingly similar so what attackers have been doing is uploading malware in .ZIP files that look like release assets to large open source repositories. They then share the links as though they are the legit release links for the repository. It looks like GitHub did attempt to somewhat mitigate this by restricting the file types that can be uploaded, but they still allow .ZIP files which are often used for releases so the deception in the attack still works. Full attack which is still live is detailed here

I mean, it's clearly an s3 bucket, not the repo. Look at the URL after the redirect. Is it wierd? Yes Unexpected? Probably Dangerous? Potentially "In the repo"? Definitely not

Scroll down I already explained in detail

mimikatz 🤣🤣🤣🤣 instant regret

I've been using this vulnerability to use Github's CDN for uploading images for my blog. I create an issue on my own repo and upload images and close the issue. I get nice free CDN.

I’ve found that last year, I ran my detection algorithm across nearly half million GitHub account and automatically detect malware related accounts. I contacted GitHub support say I can help, I shared them a google doc with details and updated list, they do shit and leave me.

@jedisct1 It always surprised me how little we see spam on GitHub considering how relaxed the content moderation is

Awesome find this is a really neat hack / workaround for phishing and or deriving payloads to people for sure dangerous esp around crypto stuff.

How do you fix this without breaking millions of links all over?