Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

March 22, 2024 0 Comments 0 tags

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers

US Targets Crypto Firms Aiding Russia Sanctions Evasion

March 26, 2024 0 Comments 0 tags

The US Treasury has designated several Russian blockchain and virtual currency firms for sanctions evasion

Stolen Change Healthcare data could contain information on ‘a substantial portion’ of Americans

April 23, 2024 0 Comments 0 tags

Sensitive and personal health information related to “a substantial portion of people in America” could be among the data stolen by cybercriminals who attacked Change Healthcare in February, the company