Can people put malware on GitHub?
Once exploited, malicious actors can abuse legitimate GitHub accounts to create a malware file server.
However, the ReversingLabs threat research team has recently observed the increasing use of the GitHub open source development platform for hosting malware.
The binary analysis examined a set of 6,160 executables and revealed a total of 2,164 malicious samples hosted in 1,398 repositories. In total, 4,893 repositories out of the 47,313 tested were deemed malicious, with most of them concerning vulnerabilties from 2020.
Whether on-premise or in the cloud, data can be vulnerable to accidental deletion, malware, corruption, and other security threats. As a cloud-based service, GitHub is not immune to these threats.
In general, GitHub is a secure developer platform, but as Fox Mulder and I like to say, trust no one. Just like with any download, you want to be sure you can trust the source before you click. The good news: GitHub offers tools to examine code for any malware or vulnerabilities.
It is unsurprising to find malware hosted on GitHub. GitHub, being a free website specifically geared towards hosting and deploying code for millions of people and organizations, which makes it an ideal location for malicious actors to hide their own code.
GitHub Pages is not intended for or allowed to be used as a free web-hosting service to run your online business, e-commerce site, or any other website that is primarily directed at either facilitating commercial transactions or providing commercial software as a service (SaaS).
Additionally, the ability to easily create fake repositories within GitHub and to push them as “pull requests” – which sends a notification to developers about changes made to branches – makes GitHub a commonly targeted platform for hackers to deploy malware.
GitHub has security features that help keep code and secrets secure in repositories and across organizations. Some features are available for repositories on all plans. Additional features are available to enterprises that use GitHub Advanced Security.
Checkmarx researchers discovered a new vulnerability in GitHub could have exposed over 4,000 packages to repojacking attacks.
How do I protect my GitHub?
- About authentication to GitHub.
- Creating a strong password.
- Switching between accounts.
- Updating your GitHub access credentials.
- Managing your personal access tokens.
- Reviewing your SSH keys.
- Reviewing your deploy keys.
- Token expiration and revocation.
An attacker can exfiltrate any stolen secrets or other data from the runner. To help prevent accidental secret disclosure, GitHub Actions automatically redact secrets printed to the log, but this is not a true security boundary because secrets can be intentionally sent to the log.
Github Actions is an attractive solution to automate tasks and run tests. Integrating Actions into Github repositories, however, can add to an organization's risk surface. A few areas of concern are noted in the table below: Third party actions: The third party Action used could potentially run malicious code.
About repository visibility
For more information, see the GitHub Enterprise Cloud documentation. Public repositories are accessible to everyone on the internet. Private repositories are only accessible to you, people you explicitly share access with, and, for organization repositories, certain organization members.
It typically runs third-party code through build tools, software dependencies, and third-party GitHub Actions. Because of these reasons, GitHub Actions is a high-risk environment. You must use an effective runtime security solution in your GitHub Actions environment to prevent supply chain attacks.
GitHub claims it is used by over 4 million organizations and more than 100 million developers [2]. Read on, to learn about the characteristics that contribute to its popularity.
Limited customization: GitHub Pages uses Jekyll, a static site generator, which can be limiting if you want to do more advanced customization of your site. No support for server-side code: Because GitHub Pages generates static HTML files, you cannot use server-side languages like PHP or Ruby.
GitHub Pages is GitHub's answer to project pages, and it allows you to serve any static website straight from your repository. Since GitHub pages support custom domains, you can host a static website on GitHub pages free of charge, with deploys straight from Git.
We do not sell your personal information and we do not display advertising on GitHub.
Enhanced Collaboration
The single biggest selling point of GitHub is its set of project collaboration features, including version control and access control. To illustrate what's possible with GitHub, imagine this scenario.
Why is GitHub asking for password?
If Git prompts you for a username and password every time you try to interact with GitHub, you're probably using the HTTPS clone URL for your repository. Using an HTTPS remote URL has some advantages compared with using SSH. It's easier to set up than SSH, and usually works through strict firewalls and proxies.
GitHub does not target our Service to children under 13, and we do not permit any Users under 13 on our Service.
GitHub scans repositories for known secret formats to prevent fraudulent use of credentials that were committed accidentally. Secret scanning happens by default on public repositories and public npm packages. Repository administrators and organization owners can also enable secret scanning on private repositories.
- Select the minimum permissions required. ...
- Stay under the rate limit. ...
- Secure your app's credentials. ...
- Use the appropriate token type. ...
- Validate organization access for every new authentication. ...
- Expire tokens. ...
- Cache tokens.
So, in order to steal it, they would have to close the source or not credit you. If you don't want to open your source, you probably want to use git on its own or as part of an IDE and back it up to iCloud or OneDrive. But one thing I can tell you is to always make your code readable.
References
- https://securityaffairs.com/150713/hacking/repojacking-attack-github-repositories.html
- https://docs.github.com/en/get-started/getting-started-with-git/why-is-git-always-asking-for-my-password
- https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories
- https://docs.github.com/site-policy/privacy-policies/github-privacy-statement
- https://www.quora.com/What-are-the-benefits-and-drawbacks-of-using-GitHub-pages-for-your-personal-portfolio-site
- https://docs.github.com/site-policy/github-terms/github-terms-of-service
- https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise
- https://www.coursera.org/articles/what-is-git
- https://www.toptal.com/github/unlimited-scale-web-hosting-github-pages-cloudflare
- https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partner-program
- https://docs.github.com/en/code-security/getting-started/github-security-features
- https://www.sitelock.com/blog/malware-in-github-repositories/
- https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages
- https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app
- https://www.quora.com/Is-it-possible-for-someone-to-steal-your-code-from-GitHub
- https://www.perforce.com/blog/vcs/git-secure
- https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
- https://zapier.com/blog/how-to-download-from-github/
- https://engineering.salesforce.com/github-actions-security-best-practices-b8f9df5c75f5/
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
- https://blog.hubspot.com/website/what-is-github-used-for
- https://www.stepsecurity.io/blog/github-actions-security-best-practices
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure
- https://rewind.com/blog/is-github-still-safe-to-use/