GitHub and GitLab allow developers to publish their source code and pre-built applications, as traditionally, these platforms were considered trusted sources for software downloads.
However, a recently discovered vulnerability allows attackers to upload malicious files disguised as legitimate ones within a developer’s repository, which bypasses the usual security measures, potentially compromising users who download these files.
These platforms are designed for collaborative software development, where developers can upload their code and others can suggest changes, bug fixes, or create forks (independent versions).
Users can report bugs (issues) with comments and screenshots, while files are stored on GitHub servers and accessed through links.
A download link for a malicious file is generated after the file is added to an unpublished comment on GitHub
One unique aspect of GitHub is its handling of drafts (unpublished comments with uploaded files). Drafts are invisible to both the application owner and other GitHub users.
The link to the uploaded file remains active and accessible via GitHub’s CDN (Content Delivery Network).
On both GitHub and GitLab, an attacker can upload malicious files into repository comments, which become a part of the version history and are impossible for the repository owner to delete.
On GitHub, disabling comments entirely is the only solution, but this hinders communication, while GitLab partially mitigates the issue by requiring users to be logged in to upload files, but the files are still accessible with a link.
Attackers exploit a vulnerability in GitHub/GitLab where unpublished comments with file links are publicly accessible, which can be disguised with the names of popular projects or developers, making them appear legitimate.
For instance, a malicious zip file named “Cheat.Lab.zip” might be uploaded as a comment in a Microsoft repository, which tricks users into trusting the link due to the association with a trusted entity.
More sophisticated attackers can even target specific apps and pose as updates distributed through these platforms.
It allows unrestricted file uploads, making users vulnerable to malicious content. To mitigate this risk, avoid downloading files from external sources that link to GitHub/GitLab.
Instead, navigate directly to the project repository and confirm the file is listed; legitimate files from developers are typically published within the repository itself.
According to Kaspersky, vigilance ensures users download the intended content and reduces the possibility of malware infection.
To avoid security risks when using open-source repositories, be cautious of typosquatting, where malicious actors create repositories with names similar to legitimate projects (e.g., Chaddev vs. Chatdev).
Scrutinize projects with low reputation scores and recent creation dates before downloading any applications, and also ensure comprehensive anti-malware and anti-phishing software is installed on all devices.