Security researchers have highlighted several vulnerabilities and malicious activities on GitHub, a key platform for modern software development. Primary risks—which we’ll explore in more detail—include improperly configured workflows, the persistence of data in deleted repositories, and the distribution of malware through compromised accounts.
Dangerous misconfigurations in GitHub actions workflows
GitHub Actions workflows are designed to streamline software development by automating many different tasks such as continuous integration and delivery. Despite their utility, many of these workflows lack critical security measures.
Legit Security’s research reveals that a large number of workflows fail to incorporate best practices, such as dependency pinning and limiting token permissions.
Legit Security’s investigation discovered several critical security issues:
- Interpolation of untrusted input: This practice allows attackers to inject malicious code or data into workflows, potentially compromising the entire project.
- Use of untrustworthy artifacts: Many workflows rely on external artifacts that haven’t been vetted for security, opening the door to potential threats.
- Execution of untrusted code: Running unverified code increases the risk of introducing vulnerabilities and malicious activities into the software development process.
How misconfigurations lead to security breaches
Misconfigured workflows can lead to severe security breaches. Data leakage is a major concern, as sensitive information can be inadvertently exposed, resulting in data breaches and financial losses.
Unauthorized code execution is another issue needing careful consideration; attackers can exploit these misconfigurations to run unauthorized code, compromising system integrity. The overall security posture of projects is then weakened, making them more susceptible to many different forms of cyberattacks.
Stats on custom GitHub actions
An analysis of over 19,000 custom GitHub Actions showed that only about 900 (4.74%) were created by verified users. The average Open Source Security Foundation (OSSF) security score for these actions is 4.23 out of 10, clearly pointing out the pressing need for greatly improved security practices across the board.
Threats of persistent data in deleted repositories
Truffle Security has discovered that data from deleted GitHub repositories is not entirely removed from the platform. Contrary to the common belief that deleted data is irretrievable, this data can still be accessed under specific conditions:
- Access to deleted data: Sensitive data, including proprietary code and credentials, may remain accessible even after a repository is deleted—posing serious risks for organizations that depend on GitHub for code management.
- Vulnerability through forks: The issue arises when a repository fork can access the data of another fork. GitHub captures snapshots of repositories, including all changes, and these snapshots are not deleted from the object database when the repository is deleted. Unsynced data remains accessible, creating a potential security loophole.
GitHub’s surprising take on persistent data
GitHub does not view this persistent data issue as a bug but rather as a feature, raising concerns among security experts who argue that it exposes organizations to unnecessary risks. GitHub retains snapshots of deleted repositories, which then inadvertently keeps sensitive data that could be exploited by malicious actors.
A deeper look at GitHub’s malware network
Checkpoint researchers have found a disturbing trend: approximately 3,000 GitHub accounts are actively used to distribute malware—clearly highlighting a major (and growing) threat to the platform and its users, as malicious actors exploit GitHub’s reach and reputation within the developer community.
Inside the Stargazer Goblin malware network
The network, known as Stargazer Goblin, operates as a highly organized distribution-as-a-service (DaaS) operation. The operation leverages GitHub’s extensive reach to target a broader audience, spreading malware through various platforms, including YouTube, X (Twitter), Instagram, Discord, and Facebook. The network uses these additional platforms to increase its visibility and potential impact, drawing in unsuspecting users.
Dangerous malware spread through GitHub
Stargazer Goblin disseminates multiple types of malware, each with unique capabilities and threats. The malware distributed includes Lumma Stealer, designed to steal sensitive information such as login credentials and financial data, and Atlantida Stealer, which targets personal and corporate information for financial gain.
Other malware, such as RisePro, known for data exfiltration, Rhadamanthys, adept at phishing attacks, and RedLine, a versatile malware capable of stealing different types of information, further reinforcing the threat posed by the network.
Suspicious repositories and their hidden threats
The network uses dubious repositories containing many different malicious elements. These repositories often have download links to external websites where malware is downloaded onto the victim’s device. Adding to this, they use password-protected archives to bypass automated security scans and templates for phishing strategies to trick users into providing sensitive information.
Clever tactics to evade GitHub suspensions
To avoid detection and minimize the risk of account suspension, Stargazer Goblin uses organized roles within its network. Each account is assigned a specific role, so that no single account is critical to the operation’s success.
This distribution strategy means that even if some accounts are suspended, the network remains operational.
Despite GitHub’s efforts to combat this threat, having removed over 1,500 malicious accounts, more than 200 (13%) remain active, reiterating the ongoing challenge of securing the platform against organized malicious activities.
The worrying impacts of GitHub malware
Compromised accounts and repositories can lead to major and extensive data breaches, exposing sensitive information. Ransomware attacks, where malware encrypts critical data and demands ransom payments for its release, pose another severe threat.
Presence of malware here can then lead to several other security issues, including unauthorized access and system compromises.
3 expert strategies to secure your GitHub environment
1. Protect GitHub actions workflows
Regularly reviewing and auditing workflows is key to accurately identifying and rectifying potential vulnerabilities. Implementing stringent access controls using GitHub’s secret management tools helps enforce strict access controls and limit permissions.
Making sure that input sanitization and validation is carefully implemented is a must if companies are to prevent unauthorized code execution and reduce the risk of introducing vulnerabilities.
2. Secure your data in deleted repositories
To mitigate the risks associated with persistent data, it’s a must to remove or encrypt all sensitive information before deleting repositories. Regular audits of repositories help detect and eliminate any lingering sensitive data. Using tools like GitHub’s secret scanning can also help with accurately identifying and addressing exposed credentials within repositories.
3. Combating malware threats
Being cautious of repositories and code from unknown or untrusted sources is an absolute must. Regularly updating libraries and dependencies to mitigate known vulnerabilities is an important step to implement consistently. Employing advanced security tools to scan and detect malicious code can also help make sure that projects are secure from these potential threats.
Final thoughts and key questions to ask
How prepared is your company to defend against the threats hiding in common—and often essential—platforms like GitHub? Are you proactively protecting your valuable assets and respecting the trust of your users?
Carefully reflect on your current practices and consider what strategic changes can elevate your security posture to protect your brand while building up a more resilient and trustworthy market presence.
