HQ/EMEAFind out how we can help your business
The GitHub Codespaces feature has shown signs that it could be a primary vector of malware for distribution. Based on reports, researchers have explained how to abuse the GitHub feature’s real-time code development and collaboration process to deliver malware.
Codespaces is a cloud-hosted environment that presents pre-configured containers calibrated by devs for development projects. Moreover, it enables devs to write, alter code, and operate it within a web browser.
The platform could also allow developers to share their network with external users through TCP port forwarding for testing. Hence, GitHub generates a URL to access the application running on that port when a user in the Codespace infrastructure utilises port forwarding.
Subsequently, a developer could decide to keep the forwarded port public or private. If it wants the port to be private, external users will need authentication through a token or cookies to access the URL.
Unfortunately, public ports are accessible to everyone, and no authentication is needed. Researchers proved that threat actors can exploit this functionality to host malicious payloads on the platform.
Malware could infect numerous users through GitHub Codespaces.
Researchers launched a PoC that details how to alter GitHub Codespaces as a web server and utilise it to spread malware.
Based on the Proof-of-Concept, an attacker could run a simple Python web server, host malicious malware on their Codespace, and expose the web port for public access.
Anyone can utilise the URL developed by the researchers to access the public repository to open the malicious code without authentication. Therefore, anyone can download potential malware without getting the attention of security defences.
Furthermore, utilising Dev Containers could make it possible to spread malicious content at an efficient rate and with faster results.
Multiple threat groups have already adopted methods for exploiting shared hosting services for distributing malicious payloads. Devs and cloud security experts should consider the dangers linked with such public hosting platforms to reduce risks taken by its users who trust their environment.
