Abusing GitHub Codespaces.
N2K logoJan 19, 2023

Attackers can use legitimate GitHub accounts to distribute malware.

Abusing GitHub Codespaces.

Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE that was released in November 2022, can be abused to create a trusted malware file server.

Codespaces accounts can act as a malware server.

The issue lies in Codespaces' ability to share forwarded ports publicly, which allows developers to preview their projects as an end user:

“We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.”

The researchers explain that “attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.”

Trend Micro also notes that they haven’t seen this technique used in the wild.

Industry comment.

Naomi Buckwalter, Director of Product Security at Contrast Security, offered the following comments and recommendations:

“At its core, this is not a new type of attack. Github Codespaces, like many other Platform-as-a-Service (PaaS) systems, provides the ability for users to easily build web applications and publish them to the internet. Malicious users can abuse Github Codespaces to build a system that does nefarious things to the unsuspecting public; the end user will not be able to easily determine if a Github Codespace is malicious or not, because Github is generally seen to be a ‘trusted’ domain.

“The solution to this problem lies in the ‘shared responsibility model’ that is often evangelized by cloud service providers. Specifically:

  • “Github must be aware of this type of activity happening within Codespaces and take immediate action to remove bad actors when found
  • “Organizations must be aware of this vulnerability and implement controls (either administrative or technical) to limit the use of Github Codespaces to trusted Codespaces only. Security teams should be running strong endpoint protection software and use a Secure Web Gateway to block malicious websites as well. Finally, organizations should educate their employees on the dangers of visiting untrusted websites, even ones that “look trustworthy,” such as Github.
  • “End users must be aware of this vulnerability and not visit random Codespace URLs. This will require additional awareness training to watch out specifically for Github Codespace URLs.

 “Overall, this issue is not a critical one, but the attack vector should be well understood by all in order to stay safe on the internet.”