Hackers have found a way to upload malware onto the GitHub platform and even make it appear as if it is being hosted and distributed by other trusted developers. McAfee, a company specializing in information security, reported this.
;
As McAfee emphasized, most malware uses Microsoft GitHub URLs, moreover, this «disadvantage» security systems can be used in any public repository on GitHub.
A report from McAfee reveals a new malware downloader called LUA, distributed via what appears to be Microsoft's GitHub repository. The URLs of the malware installers indicate that they belong to the Microsoft repository, which, however, is not true. As it turned out, in this way you can fake a connection not only with the Microsoft repository, but also with any other developer or company with a good reputation.
The attackers used an unusual scheme, using the file upload mechanism in GitHub comments. However, there is little that victim companies can do to protect themselves from this. The only solution so far — disable comments altogether, but this causes more problems than it solves. Non-malware users often come to the comments section to report bugs or make suggestions for the project. Moreover, comments can be disabled for a maximum of six months at a time.
GitHub — the largest web service for hosting IT projects and their joint development, which came under the wing of Microsoft in 2018.