A series of malicious GitHub repositories masquerading as legitimate security research projects have been discovered.
VulnCheck researcher Jacob Baines shared the findings in a new advisory published today, saying the repositories claim to contain exploits for well-known products such as Chrome, Exchange and Discord.
“In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.”
According to the security expert, the perpetrators went to great lengths to make their profiles appear genuine by creating a network of accounts and Twitter profiles, even using headshots of legitimate security researchers.
The repositories followed a similar pattern, luring users with promises of zero-day vulnerabilities. Upon closer inspection, it was revealed that the code within these repositories contained malicious implants.
Read more on malicious code found on GitHub: Researchers Uncover 7000 Malicious Open Source Packages
The repositories included Python scripts that would download and execute harmful binaries based on the victim’s operating system. The Windows binary reportedly had a high detection rate on VirusTotal, while the Linux binary was more discreet but still contained identifiable strings.
Baines said the motive behind these attacks remains unclear, but it is evidence that security researchers are prime targets for malicious actors.
“Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing, and don’t use anything you don't understand,” Baines concluded.
In a broader context, the increasing exploitation of GitHub repositories by malicious actors highlights the growing threat and the need for heightened security measures.
To delve deeper into this issue and understand the evolving threat landscape, you can read this article by Netskope cyber intelligence principal, Paolo Passeri, which explores the increasing exploitation of GitHub by state-sponsored threat actors.
Editorial image credit: Casimiro PT / Shutterstock.com