More than one in every ten GitHub repositories sharing exploit proof-of-concepts could be holding some form of malware or malicious content, putting software developers and cybersecurity researchers at plenty of risk, experts have found.
GitHub is used, among other things, to share proof-of-concept (PoC) exploits for various vulnerabilities. That helps researchers and developers verify existing fixes and make sure their products and endpoints are safe from risky flaws.
A report from researchers at the Leiden Institute of Advanced Computer Science analyzing tens of thousands of such repositories found many were distributing fake PoCs which were, instead, holding malware.
Trojans and Cobalt Strike beacons
During the experiment, researchers analyzed roughly 47,300 repositories claiming to be a PoC for a flaw discovered between 2017 and 2021.
They cross-referenced PoC publisher IPs to public blocklists, VT and AbuseIPDB, ran VirusTotal checks on the provided executables and their hashes, and decoded obfuscated files before running binary and IP checks.
What they found was a total of 4,893 repositories being malicious in one way or another. Of the 150,734 unique IP addresses that were extracted, 2,864 were found on blocklists, 1,522 were previously flagged by VirusTotal, and 1,069 were found in AbuseIPDB’s database. Analyzing the binaries on 6,160 executables, researchers found 2,164 malicious samples, hosted in 1,398 repositories.
All in all, the possibility of picking up malware instead of an actual PoC is around 10.3%, researchers concluded. Victims can be infected by a myriad of things, from remote access trojans to Cobalt Strike beacons.
After seeing the results, GitHub moved to remove the malicious content from its platform, but BleepingComputer found at least 60 examples are still pending removal.
Via: BleepingComputer (opens in new tab)