Hackers create fake GitHub profiles to deliver malware through repositories

Hackers launched an elaborate but likely unsuccessful campaign to deceive cybersecurity professionals on the code-hosting platform GitHub and trick them into downloading malware, according to research published on Wednesday.

The group created fake profiles of real security researchers to promote code repositories that appear to house exploits for popular products like Chrome, Exchange, and Discord.

According to cybersecurity company VulnCheck, the threat actors behind these repositories have invested substantial effort into making them appear authentic. For instance, they created a network of Twitter accounts, masquerading as members of a fictitious company called High Sierra Cyber Security. They even used headshots of genuine researchers employed by major cybersecurity companies.

“Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub,” VulnCheck researchers said.

Malicious repositories

In early May, VulnCheck researchers discovered a malicious repository on GitHub that purported to contain an undisclosed vulnerability in the Signal messaging app.

GitHub administrators promptly removed the repository from the platform. However, the following day, VulnCheck discovered a remarkably similar repository, supposedly containing a zero-day vulnerability for WhatsApp.

Throughout May, the VulnCheck researchers continued to uncover similar repositories.

The attackers created around seven GitHub accounts and four Twitter accounts, all posing as members of High Sierra Cyber Security. Each account contains a malicious repository claiming to be an exploit for popular tech services.

It remains unclear whether the hackers successfully delivered malware through GitHub's repositories. However, the researchers noted that the hackers' persistent pursuit of this attack method suggests that they believe in its potential for success.

GitHub & hackers

Cybersecurity experts told The Record that the results of this research are “not surprising.”

“Threat actors have learned that they can poison code repositories and get unsuspecting developers to do their work for them,” said Mike Parkin, senior technical engineer at Vulcan Cyber.

What's interesting about this method, according to Parkin, is that hackers are putting a lot of effort into the social side, making the publisher of the repository seem legitimate.

“This highlights something that's become very apparent with public repositories — always, always, vet the code you download for your projects,” he said.

The unknown exploits, particularly those where source code is unavailable for review, should only be downloaded and run in an isolated virtual machine or system set up for malware analysis, according to Georgia Weidman, a security architect at Zimperium. “When working with an unknown source, caution is key,” she added.

This is not the first time hackers have used GitHub to carry out attacks or deliver malware. In January, a group of pro-Russian hackers used the service to launch distributed denial-of-service attacks against Ukraine and several NATO countries.

Last year, GitHub discovered a vulnerability allowing attackers to take control of one of its repositories and potentially infect all applications and other code relying on it.