A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.https://twitter.com/Ax_Sharma/status/1781706435115491409
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
ttps://github . com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
ttps://github . com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
But they are not. These ZIPs are #malware .
An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live!
And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files.
Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.
