Threat actors are employing innovative tactics, using GitHub for malicious activities such as abusing secret Gists and issuing malicious commands through git commit messages. This strategy allows them to host malware on GitHub, making detection and response more challenging. The abuse of GitHub Gists, both public and secret, has become a trend, enabling threat actors to blend their malicious network traffic with genuine communications within compromised networks.
Additionally, threat actors exploit version control system features, using git commit messages to extract and execute commands for system manipulation. The use of GitHub as a command-and-control (C2) infrastructure is not a new phenomenon, but the abuse of features like Git Gists and commit messages for command delivery represents a novel approach by malicious actors. Legitimate public services have long been utilized by threat actors to host malware, offering an inexpensive and reliable means to create attack infrastructure.
GitHub’s inclusion in this trend raises concerns, especially with the exploitation of secret Gists, which are not displayed on the author’s GitHub profile, allowing them to act as a covert pastebin service for threat actors. Researchers have identified PyPI packages masquerading as network proxying libraries that contained Base64-encoded URLs pointing to secret Gists hosted on GitHub.
These Gists contained encoded commands executed through malicious code, highlighting the multifaceted use of GitHub in cyber threats. The exploitation of GitHub for malicious purposes demonstrates the evolving tactics employed by cybercriminals, necessitating increased vigilance and cybersecurity measures, particularly within industries prone to targeted attacks.