security researchers GitHub‘s uploadable comment system was compromised by hackers. malware It detected a security vulnerability that it used to spread.
The system works like this: One user GitHub comment When you upload a file (even if the comment itself was never posted), a download link is automatically generated. This link name of the warehouse and its owner contains and potentially warns victims of the file due to its trusted source link. it is legal It makes them think.
No technical expertise required
For example, hackers use malware to a random warehouse you can download and download link Microsoft They can make it seem like it comes from a well-known developer or company such as. This vulnerability is not technical expertise While it does not require; Just uploading a malicious file to a comment is enough.
Unfortunately currently this abuse of developers to prevent them There is no way other than disabling comments completely, which will result in projects cooperation blocking. GitHub, some detected in the reports malware removed, the underlying vulnerability remains not patched and whether a correction will be applied or When It is unclear whether it will be implemented.
