While GitHub has built-in security measures1 to prevent users from using its infrastructure to host malware code, wily cyber attackers may be looking for ways to bypass them. We’ve seen that happen with a cryptocurrency miner2 and several malicious projects.3
WhoisXML API investigated one such threat using six domains and subdomains as jump-off points and found other possibly connected artifacts, including:
- More than 90 active IP resolutions of the domains and subdomains identified as indicators of compromise (IoCs), four of which were dubbed “malicious” by various malware engines
- More than 300 possibly connected domains, as they shared the IoCs’ IP addresses, 14 of which were believed to be malware hosts
- Close to 20 additional domains that used the same strings as the IoCs with different top-level domain (TLD) extensions, one of which was deemed “malicious”
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
—
- [1] https://www.zdnet.com/article/github-heres-how-were-changing-our-rules-around-malware-and-software-vulnerability-research/
- [2] https://blog.avast.com/greedy-cybercriminals-host-malware-on-github
- [3] https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/