TrendMicro uncovers how attackers use GitHub Codespaces to hide malware delivery

Trend Micro discovered that attackers could take advantage of GitHub Codespaces, a new service that allows developers to create and test applications inside development containers hosted on GitHub’s servers.

It implies that threat actors are taking advantage of a legitimate feature in GitHub Codespaces to deliver malware to victim systems. Developers can normally make their applications available for others to preview via public GitHub URLs, a feature that can be abused to distribute malware payloads invisibly.

“If the application port is shared privately, browser cookies are used and required for authentication,” researchers from security firm Trend Micro said. “However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples.”

This GitHub feature allows developers more flexibility in code demonstrations, but according to Trend Micro, attackers can easily exploit it today to host malware on the platform.

The researchers show how GitHub Codespaces can be smoothly designed to act as a web server for spreading malicious content while possibly evading capture due to Microsoft traffic. Developers can use GitHub Codespaces to forward TCP ports to the public, allowing external users to test or view their applications.

When transmitting ports in a Codespace VM, the GitHub feature generates a URL to access the app running on that port, which can be set to private or public. To access the URL, a private port forward requires authentication in the form of a token or cookies. A public port, on the other hand, is open to anyone who knows the URL and does not require authentication.

The generated URL can then be used to access the hosted files, which could be used for phishing campaigns or to host malicious executables downloaded by other malware.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web