Abusing a GitHub Codespaces Feature For Malware Delivery

GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based integrated development environment (IDE) allows developers and organizations to customize projects via configuring dev container files, easing some previous pain points in project development.

We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.

According the GitHub’s website, they have over 94 million developers including companies like DuoLingo, Vanta, and GitHub themselves. And today, each developer can create at least two codespace instances for free. Considering this popular platform and the potential extensive use of Codespaces for ease in building, developers are strongly advised to properly secure their respective projects by applying threat modelling and testing.

GitHub Codespaces allows developers to create, edit, and run code directly from their web browser. It establishes a container-based environment in a pre-configured virtual machine (VM) with all the necessary tools and dependencies for JavaScript, Python, and Ruby projects. This means developers can get started with a new project quickly and without the need to set up their own

Read more

Explore the site

More from the blog

Latest News