|
| 1 | +--- |
| 2 | +title: 'Githubs reputation being exploited by bad actors to distribute malware' |
| 3 | +date: 2025-09-22T18:42:13.000+10:00 |
| 4 | +slug: github-macos-malware |
| 5 | +description: Bad actors are abusing the SEO of github |
| 6 | +image: "/uploads/" |
| 7 | +keywords: |
| 8 | +- github organisation malware |
| 9 | +- github readme exploit |
| 10 | +- macos app malware distribution |
| 11 | +- adam kostarelas |
| 12 | +- blog |
| 13 | +author: Adam Kostarelas |
| 14 | +tags: |
| 15 | +- tech |
| 16 | +math: false |
| 17 | +toc: false |
| 18 | + |
| 19 | +--- |
| 20 | + |
| 21 | +Github has become popular over the years for a place where you can collaborate on open-source software, and download it too. |
| 22 | +This reputation can be abused to by bad actors, pretending that software is open source, when in reality they link to a compiled file, or to an external site. |
| 23 | + |
| 24 | +Today I spotted one such that came up high in search results for `macos audio` |
| 25 | +There were two separate results that came up, im |
| 26 | + |
| 27 | +If you search directly for `macos sound source` or `macos sound control`, they rank highly. |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | +Obviously, you'd want to always make sure you're going to an official website to download software, however with namesquatting, seo farming and reputation abusing techniques, such bad actors have higher chances of malicious actions. |
| 32 | + |
| 33 | +A common trend is to encourage users to open terminal to download a shell script. |
| 34 | +! warning, never paste random commands into your terminal without knowing what it does! |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | +In this case, the url is also a URL encoded with base64 to make it less obvious you're about to download `install.sh` |
| 39 | + |
| 40 | +the shell script tries to download a malicious file called *update*, then deletes all extended attributes macos places on it with `xattr -c update` and makes it executable. |
| 41 | + |
| 42 | +luckily gatekeeper tried to prevent me even inspecting this file in a VM |
| 43 | + |
| 44 | + |
| 45 | +If you're interested, the [virustotal](https://www.virustotal.com/gui/file/8bd91ce62189cc6817aff0577a4cad0d5884b806f07443b2296718a64402c82d/behavior) analysis is available to review. |
| 46 | + |
| 47 | +It contains an interesting evasion tactic I haven't seen before |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +The page users click on to download the file are also prompted to download a dmg which is just obfuscated to run another osascript to remove quarantine and run the `stackprep` |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +## Github tactic |
| 57 | + |
| 58 | +I'm not sure as to why this was done, but there were multiple accounts spawned to maybe aid in their evasion efforts? |
| 59 | +One organisation will point to a user account, which doesn't commit anything, but another user account will upload files via browser. |
| 60 | + |
| 61 | +All the accounts are using throwaway hotmail and outlook accounts. |
| 62 | + |
| 63 | +I've reported this to Github, who is aware of attacks like this, and have taken down a similarly named one which is still ranking highly in search. |
| 64 | + |
| 65 | +I wonder if their section on SEO actually helps them to rank.. |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | +Also another tidbit, their 'demo video' shows a Parallels VM with user `checkuser`. Maybe there's some kind of quality control to make sure users in a VM aren't impacted. (sarcasm) |
| 70 | + |
| 71 | + |
| 72 | +I hope these are removed to keep Github a safe community. |
| 73 | + |
| 74 | +You can contact me if you'd like more info |
0 commit comments