Github scam investigation: Thousands of “mods” and “cracks” stealing data
timsh.orgI think Microsoft has a general problem with getting rid of unwanted things within their eco-system. I keep complaining that their feedback.azure.com portal is filled with spam/malware comments and links, but even internally their teams can't reach anyone to get it fixed. Example https://feedback.azure.com/d365community/idea/9d0b22d8-c025-...
As another data point: MSFT have some sort of open mail server/service called onmicrosoft.com which (in my experience anyway) is only being used to send out fraudulent paypal messages. Because it lets the spammer set the From to service@paypal.com and also contains valid DKIM etc, it sails past spam filtering. There are so many complaints about this on (real) paypal.com forums, but Microsoft are apparently unable to do anything about it.
I think I read somewhere that scammers set up an email distribution list / alias / forwarding from one something.onmicrosoft.com account to dozens of victims, and then they trigger a (real!) paypal email with that one something.onmicrosoft.com address as the recipient. So the email has a valid DKIM signature from paypal, then microsoft forwards that email to all the victims, which will still pass DKIM while amplifying the attack (and maybe boosted by microsoft's SPF reputation as well) to hit as many people as possible. Apparently the paypal emails are real but dangerous as they will allow the attacker to somehow take over the victim's account if they log in, as the "middleman" onmicrosoft.com alias then becomes associated with the account which was the original "to"-email from paypal. Something like that, at least.
Messages pass DMARC because they originate at paypal servers (and have valid DKIM) but O365 abused to spread these messages and MS doing little to stop abuse.
Is there a legitimate reason for them to forward paypal emails? Why not just not let that happen under any circumstances?
Most email providers support mail forwarding and distribution lists, but maybe they should have added some sort of opt-in confirmation when adding recipients outside the local domain...?
I imagine it's because PayPal uses azure in some capacity.
If you use PayPal for your business, you might want the emails to go to a list for redundancy.
onmicrosoft is "on microsoft" and is used behind the 365 company workspace. I have a onmicrosoft email for a 365 developer account, and anyone who connects to our company via teams seems to get a "{original_email}@{company}.onmicrosoft.com" ID setup, so I assume they're probably using it for things behind the scenes which also needs to void DKIM or something.
Feels like just adding a direct "don't send as paypal, apple etc" rules would probably work though.
I use (redacted).on Microsoft.com tenant which is free of cost to me as a sandbox to learn about office 365 admin stuff. I don't work on it every day but it is nice to have this sandbox. I don't send spam or phishing emails. I don't send emails from this tenant at all to others, only to my own email addresses or to people I know for testing purposes.
Presumably you don't send out emails appearing to come from service@paypal.com saying things like "Reminder: You've still got a money request", with an HTML body that looks exactly like Paypal but contains a fraudulent link and phone number, so you should be fine.
Or, worse, I find that most of these are real links from real paypal.
https://www.fortinet.com/blog/threat-research/phish-free-pay...
No, I didn't. I did get those emails a lot on my university dot edu email. I understand there are legacy/compatibility challenges with the telephone infrastructure but you'd think this problem is entirely solvable with emails. :/
It is easily solvable. But it has to be implemented on the receiving side. Ask your university to put something in place!
This isn't really related to the parent comment, but I can't help myself from asking. I've been getting emails that look like they're from my own email address. They usually threaten to share my browser history unless I pay money. Has anyone else seen these kinds of scam emails? How can I stop them? I use two-factor authentication, so my account should be safe, but these emails still worry me. Any tips would be great!
If you are in control of the domain of your email address, enable SPF and DKIM for that domain, together with strict policies that mail servers should reject spoofed mails claiming to come from that domain. If your own mail server supports validating SPF and DKIM, you would no longer receive such forged mails, nor anyone else behind a mail server supporting SPF and DKIM.
If you aren't in control... just ignore it like any other spam mail.
The thing that enforces the existence of either SPF or DKIM is called DMARC, setting that to "reject" or "quarantine" is the most critical step for preventing forgeries like that.
E-Mail allows setting the From header to whatever you want. These mails won't have valid DKIM or SPF data because they're not sent through your mail server. There's nothing to worry about, it's just spam, your account isn't compromised (unless of course it is, and they're sending it through yours, but they likely wouldn't try to scam you like that then). Just one of the quirks of e-mail we have to live with.
Huh, interesting, I just saw something like that in my spam filter for my own domain. It looked like some kind of an email forward from onmicrosoft.com, with the original email spoofed from my own domain with an email that doesn’t even exist on my domain.
Do not click the links or allow images to load, and you will remain safe. View the full raw email and look at the headers. Search who is registered for the domain in question. Contact their hosting provider.
Fortunately, it's still pretty easy to filter these out. No idea why PayPal is ignoring this issue (I forward them to phishing@paypal.com hoping something will happen).
Honestly i cant believe how much spam at Google gets through Gmail but they blocked my small startups emails from being delivered.
Funny enough if I stayed at Google another year I would have been lucky enough to fix it myself and make an actually decent spam blocker.
How would Microsoft forge a DKIM signature? It sounds more likely that it's just a shitty email from Paypal.
Yes, they're originated by PayPal, but collected by a different original recipient and from there sent on to the victim. The envelope-recipient is not part of the material signed by DKIM, so the signature remains valid.
The To: header _is_ part of the signed material so will list the original recipient not the victim — but the attacker sets the recipient name/address to something misleading like “Order Received” to obscure this, and sets the store name to some long text that will be misleading when templated into the PayPal invoice request mail text.
PayPal have long had a problem with failing to make untrusted supplied text clear in their communications, but this is an unusually convincing attack.
I don't know why they always use (compromised?) onmicrosoft subdomains in particular. In the samples I've seen they're getting an SPF softfail so it doesn't seem MS's relays are passing SPF for paypal (sendgrid's might...)
It seems like it's time to revise DMARC so that it requires (or at least can be configured to require) both SPF and DKIM to pass.
I saw one of these emails too. It was sent by an onmicrosoft.com server, linked to a phishing site, but passed SPF/DKIM/DMARC for Paypal.
Microsoft obviously isn't "forging" it. It's valid: https://labs.guard.io/echospoofing-a-massive-phishing-campai...
Here’s a CCC talk[1] which shows how you can send mails from other servers by „SMTP Smuggling“.
1: https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-...
At the same time they suspended my GitHub account which I had for more than a decade, maintained multiple big open source projects, and contributed in hundreds. Didn't even bother to provide any reason or reply to any of my requests. Worst experience of any IT service I had. I would never recommend using GitHub to anyone, and started donations to Codeberg and Forgejo.
> 9 years ago
> This is still coming. The work is being completed now and we will be able to expose it in a few months.
I'm glad the official response has no date associated, so you won't know whether they published that yesterday of 8 years ago.
Looks bad either way
These have got to be AI generated. The ones that mention details from the post are borderline comical:
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
Can't be more obvious.
<acknowlege and describe post you're replying to, use at least one "—"> <shill> <shill + acknowledge>
How hard could it be to add "add a few grammatical and spelling mistakes. Use no emojis. Reply like someone on instagram" or something to the system prompt? I shouldn't give them ideas, but come on, that's low hanging fruit.
yeah, that was my suspicion as well, seems that AI generated content is mixed with seo-spam or malware. I even tried to report feedback.azure.com as a deceptive site to the major browsers, but they don't share my concerns ;)
There used to be some sort of forum they had, I don't remember what it was, MSDN forums or Technet or something, but it used to dominate search results, and all the answers were from like, senior hobbyists who couldn't suggest much more than restarting or suggesting checking for updates. Maybe that was before every search result was Reddit or SO though.
That's MSDN, and these "senior hobbyists" were given a badge by MS to look credible: "MVP" (most valuable professional).
Cherry on top: you used to pay to have an MSDN membership and access this wonderful community.
To be fair though, the early MSDN was really good, and in a distant past MVP was a real achievement (say early 2000s). Now it's a weird mix real issues and "my printer blinks red, how to fix?"
I don't think anyone reads MSDN at Microsoft anymore, it's a deadland, but I guess they generate some metrics of user engagement and product feedback from there.
I wasn't even talking about people who paid for a cert, just people signing up to try and help. They are generally more annoying then helpful to people who can do anything more than install and uninstall programs. Without a doubt every search result I found on that forum from someone having a similar issue never resulted in a useful lead.
> Without a doubt every search result I found on that forum from someone having a similar issue never resulted in a useful lead.
This was subsumed into answers.microsoft.com and it's turned into a few of those original "good with computers" retirees spending all day answering from within their own knowledge, now overwhelmed by countless individuals with names or flavors of English suggesting emerging economic zones "answering" everything with copy paste non-responsive responses.
If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
> This is so consistent, I wonder what is driving it.
Microsoft has a cert called "Most Valuable Professional" that gives out a ton of free stuff (free MSDN subscription, free admission to a conference that gives away hardware, etc). It also probably looks good on your resume to hiring managers who don't know any better. Renewing the cert involves doing "community work", and the easiest way to do community work is to post a lot on Microsoft's forums. Microsoft doesn't care about the quality of the posts, or whether they solve the problem, solely about the number. This is why whenever you look up a Windows issue and go to Microsoft's forums, you always see people posting the same copy-pasted "Hi, I'm a Microsoft community expert who has been providing independent Windows advice for the past 10 years. blah blah blah Have you tried running sfc /scannow?" response to every single problem.
So that's the answer to the question I always had but never bothered to ask. Thanks!
> This was subsumed into answers.microsoft.com and it's turned into a few of those original "good with computers" retirees spending all day answering from within their own knowledge,
Ah yeah, this is exactly what I was referring to!
> If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
Yes! And if you are doing anything even slightly out of their grasp that requires doing something 'different', they assume you are doing something wrong or messing with stuff you shouldn't be, e.g. "You shouldn't be touching the registry" - ugh.
> This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
I think it really is just older people who 'like' computers but never learned that much about them. They found a zone where they can mostly be helpful to people who know a little less then them, which is fine, but they don't understand maybe they should not try and solve every problem.
Amazon has an ask a question feature and it will email a lot of people who previously bought the product, not sure how it works. Anyway, I saw tons of responses from elderly people with nonsense answers like “I don’t know the answers please don’t email me”. People felt compelled to respond, now I see why Nigerian prince scams are so successful.
There was a story recently that Reese Witherspoon was in a jury, and the other members of the Jury genuinely thought she was a lawyer because of Legally Blonde.
That kind of ridiculousness is way more common than you think. These people shouldn't be allowed to vote let alone try to assist in solving even remotely complex IT problems.
Also see Yahoo Answers, who got the gamification completely wrong (Stack Overflow later got it right). Users would answer "I don't know" to every question they saw, just to get a point for answering.
> Users would answer "I don't know" to every question they saw, just to get a point for answering.
lol, I remember that but I forgot all about that until I saw your comment. Man that late 90s early 2000s internet was something else.
If only they had some kind of partnership with one of the big AI companies they might be able to leverage it to make their products, sorry, services better.
"We only sell the shovels, we don't use them, we don't think we have any holes needing dug."
I think I prefer spam to AI moderating the internet, to be honest (although I have little doubt that this feeling isn’t shared by big tech and almost all moderation is going to be done by AI)
but this comment is gold :D
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
Look at the comments down below that post. All unmoderated trash and spam. There's nobody in the driver's seat at Microsoft, is there?
These repos post to Discord webhooks to notify of newly compromised systems.
I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.
In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.
> going so far as to ban the accounts
The responsible thing would be also to release all related data, icluding personal information (IP adresses, emails, list of contacts, chat logs) to investigation (police, etc)
I’m sure they report serious crimes and at least retain records for questionable activity.
I don’t get visibility into internal Discord operations, though. We just see that the perpetrators lost both their Discord server and their accounts disappeared from other Discords they were in. They angrily returned later with new usernames.
> I’m sure they report serious crimes and at least retain records for questionable activity.
Why are you sure? I really doubt it.
That would be a tremendous amount of work, at best they might be forwarding it to some CERT. But I doubt even that. Shutting down the accounts is probably the best they can do.
Doesnt really matter if the scammers are in bum fuck egypt (literally)
Law enforcement has ways to work across borders (international agreements, etc).
Such mechanisms should and will improve with time.
If a countly doesn't provide legal support against scammers, then the requesting country can reciprocate - declare green light for scammers agains the refusing country.
We could lock such repos. No access (not even read-only) and disable accounts. That could also be semi automatic.
Let's shut down Discord instead, for the good of all mankind.
> extract the Discord webhook links
there's a large variety of malware, they don't all phone home the same way and they don't all phone home to discord
Did you read the linked article? The template they’re duplicating phones home via Discord.
I’m not saying every malware uses Discord. I’m talking about the article.
i did, in fact, read the article. you said "a simple script to download these repos". the variety of malware would make the script not so simple, and not so effective.
> the variety of malware would make the script not so simple, and not so effective.
The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.
Scanning and identifying has already been done. That’s literally what the article is about.
It’s right in the second paragraph:
> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server
yes, they identified spammy repos. you'd also need to identify which repos belong to which spammer groups, it's not just one person doing this (as mentioned in the article) -> they don't use the same malware. saying "sent to some discord server" is like saying "playing games on my nintendo". the malware is also obfuscated (as mentioned in the article) which makes identifying the home server harder with static analysis.
why don't we just send bad people to jail?
The web hook is in the templated script
From the article:
> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'
Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.
Discord then identifies the Discords matching those webhooks.
It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.
the article details how github is spammed by multiple people who read one guide. not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python. out of those that are python, some are obfuscated with this love/trust/joy obfuscator, some use pyarmor, some are compiled with nuitka. no, the guide does not instruct you which malware strain to use, only how to game github for traffic.
if it was that simple it would be a solved problem. i encourage you to give it a shot
> not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python
No, the article is specifically about 1115 malware repos built from the same template
This is taken from the intro of the article:
> Wrote a script that helped me find 1115 repositories built based on the instructions from the guide.
I don’t know what you think you’re talking about, but you’re not talking about the article that I’m talking about.
The template repo is here: https://github.com/Jalynn0922/steal-cook
It contains the main.py script that the article is talking about.
NOT the same malware template. article only details how "This first repo I found" works, not all of them. look at how his github searching script works in "Scraping Github" - there is no way to determine what malware is in the repo, only that it is doing keyword stuffing.
...why? what's the difference between "POST payload to discord webhook" vs. "POST payload to VPS rented anonymously"? it seems like an inexplicably bad decision to use a proprietary US service for your malware C&C
These are not sophisticated attackers.
Discord is free and easy. The notification pops up right where they’re already chatting with each other for 16 hours every single day.
Renting a VPS and writing custom software to accept a POST request requires a credit card, programming skill, and time.
These are not high effort malware distributors. Its very low hanging fruit done by script kiddies essentially.
I think to an extent Microsoft is the guilty party here. For may cracks Windows Defender will trip saying "Win32/Keygen" even if there's no actual malware https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
This trains people that do a lot of piracy to be used to turning off their antivirus to let something through, which is fine until it's not. It's like drugs, if we know a subset of the population will do them no matter what, we should make it safe for them to the extent we can. False positives, causing people to ignore actual positives, creates a market for these things.
Bundling malware with keygens is a very common practice. It helps because the victim doesn’t suspect anything is wrong when the thing they downloaded appears to work, unlike the sham downloads in the linked article. Gives the attackers more time to exploit the system.
You also need to look at the bigger picture: Keygens are something you very much do not want anywhere in a corporate environment for obvious reasons. Being able to flag them on Windows machines is very valuable.
Then make it a flag for windows machines on a domain account or otherwise set to be a "business PC". Doing it on consumer systems is still a problem. A false positive flag for malware - or calling any keygen malware - is still a problem. It sholudn't be removing keygens from the system because they're keygens. You shouldn't have to add exceptions for them. If they actually contain malware, great, yes, please flag them. If they're not and it's my personal computer, then if I choose to download some cars, that's none of their business.
some brands put cocaine in soda, let's ban soda altogether
Windows Defender believes that my Rust egui application is a trojan, but magically if I compile it with a different toolchain it's no longer flagged :p
There's something seriously wrong with A/V heuristics.
I’ve had similar issues across multiple programming languages. The latest is a C++ program with almost no dependencies. While I’m making changes and frequently recompiling, windows defender will randomly pop-up and let me know that it deleted my freshly-compiled binary. The change will often be something simple, and simply making any change and compiling again will randomly not get flagged.
It’s extremely annoying. It’s my code, stop deleting it. It’s not malware.
Given Rust's supply chain worries, maybe it really is, don't count it out too quickly.
Why should malware repos be deleted?
Serious question. The repos aren't themselves doing harm, are valuable for research, and would be distributed some other way if GH removed them. Maybe a banner “be careful! others have reported that this repo may not do what it claims. proceed with caution” would be a more appropriate response?
> The repos aren't themselves doing harm,
Yes they are. Did you read the part about the people doing this and getting 50-100 compromised computers per day? They’re stealing accounts and crypto with these.
> are valuable for research,
Research into how they’re harming people? The research is done. Time to move to fixing it.
> and would be distributed some other way if GH removed them.
This is like saying we shouldn’t wear seatbelts because some people will still die in car crashes anyway.
You don’t avoid improving a situation just because you can’t perfectly fix it globally. You address what you can and reduce the problem.
At least the malware is exposed in the light of day. I didn't say don’t fix something. I asked whether the malware should be removed vs e.g. being flagged by github. If github removes it, it will move somewhere else and be harder to keep a thumb on. That’s fine, I was curious because this “research” wouldn’t have happened in the first place if the malware was elsewhere. It sounds like intent here matters…
> If github removes it, it will move somewhere else and be harder to keep a thumb on.
It’s on GitHub for visibility and credibility to victims.
If it moves somewhere else where victims can find it, the researchers can find it too.
I don't think that repositories presented and named as Malware or Virus should be deleted - they're good for educational and research purposes I guess. I specifically mean those that impersonate as legit programs (if you can call a "free download" or "mod" apps legit).
There is an official policy on this: https://docs.github.com/en/site-policy/acceptable-use-polici...
So, sounds like the Github team should take some action here.
To me those repos seems an abuse of what GitHub is for. I'm 100% fine with a repo hosting malware if it's there for security researchers and anybody else interested in the topic to study, etc. Even better if there is also documentation. I'm not fine with using GitHub (or any other site) as a distribution platform for malware, hiding the fact that the software is malicious in the first point.
> The repos aren't themselves doing harm,
Yes they are. They are being used as delivery mechanism for malware.
> The repos aren't themselves doing harm
Yes they are, they're distributing malware
> are valuable for research
Marginally, at best
> and would be distributed some other way if GH removed them
Another way that wasn't so well SEO-optimized and didn't carry the Github halo.
Only if they disguise as non malware I guess?
> would be distributed some other way if GH removed them
Maybe? But definitely to less people? I don't see the argument for allowing them.
Maybe a special flag with a passcode which must be passed to `git clone`, where this passcode is shown in such a banner. To make sure you've read the banner.
Good point instead of deleting, treat it like an invalid https cert. Lots of warnings and are you sures before you get to clone or fork.
Doesn't distributing malware break a number of laws?
What is the definition of distribution? If I posted a code snippet of malware on github or my personal site for educational purposes, does that count as distribution?
That depends heavily on the law in question. Germany e.g. almost completely bans white hat activities because hacking is evil, and no amount of common sense has been able to get through lawmakers' thick skulls.
You can downvote him all you want, but it's true at the core. §202c of the BGB heavily limits what can be done, even by legit researchers, and it's often being critized for that reason.
For anyone interested, the Wikipedia article might give an overview (only available in German right now): https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen...
Really? The malware went from your computer to someone else's and your defense is that it was not "distributed" but just magically moved from A to B?
If you argued that it was clearly labeled as malware for educational purposes, that seems fine. It was distributed, but then distribution is allowed. But this is very clearly not the case here.
totally depends on where u live. id say 99% of places, u wont. also, research purposes is ok if its obvious. u can download malware in lots of places, sources, so taking them off of github really wont do anything either.
personally if i post such things i will either ensure it has detections everywhere or somehow neuter it. usually for research you dont really need to have fully functioning malware. just enough to prove some question. so despite posting sources of malware being ok, and it being available in lots of places, i do think, especially for advanced things, its better not to contribute it freely... but to each their own. i'd advise strongly against just outright posting functional cyber weapons, not because its illegal, but simply because its really not needed. there is more bad potential than positive use compared to broken or incomplete versions.
These repos are targeting kids. They should be removed or at least disabled.
They're just as useful for research as the spam/scam comments you occasionally see at the bottom of an HN thread.
Fun fact: if you come across one of these discord webhooks you can delete them.
Just curl -X DELETE https://discord.com/api/webhooks/[...]
I'm not familiar with the context here, could you please elaborate? If I understood correctly, any unauthenticated user can delete the webhook? I can currently find hundreds of matches for that on Github, anyone could just go and delete them all?
In many cases the necessary authentication string is present within the webhook URL itself (which you're supposed to keep secret). By possessing the URL, you've proven you're authorized to use it, and with Discord that also means you're authorized to remove it.
In other cases you may need additional headers to authenticate, but if the script you've found contains the URL, it probably also contains the auth header too.
Yep, anyone can delete a Discord webhook if they have the URL.
All you do is send a DELETE request to the URL.
According to other comments stating how responsive Discord is to reports, it might be better to not delete these webhooks but instead report the connected users/servers.
Interesting. Looks like this specific one has already been deleted:
curl -X DELETE https://discord.com/api/webhooks/1050437982584324138/VJByvmBKESSUv4fYn0LIjlBR4VzMRTEPOKVJoWFvCeHd7o3LtclQMJDMuiLzT57iqn7B {"message": "Unknown Webhook", "code": 10015}LOL okay going to write a little search&destroy script tonight. Actually, no, f microsoft, let them do it.
I think the core of problem here is that applications are not isolated on the OS level.
If I download and install a mod for minecraft, it should never have access to anything on my computer, except for the minecraft game files itself. If I open a spreadsheet in Excel, the excel process should have access only to that file and it's own config files.
Something similar to how android works, were the app has to explicitly ask the user to access their files.
You're describing Qubes, which is great but I found it tedious to use as a daily driver.
The other general purpose sandboxes are just as valid. Which is why all modern OS are moving towards them ( apk, appx, whatever OSX does)
Yes, qubes is harder, but it's also very niche, barely supported, and difficult to use.
There's really a lot of middle ground "any application can do whatever on your system as the user running it" and "any application runs in a separate OS with no rights and just 120 lines of hardened hypervisor code in common.
>If I open a spreadsheet in Excel, the excel process should have access only to that file and it's own config files.
So ya, you've just broken a thousand enterprise application and integrations.
In my opinion, Microsoft’s entire support is at a tragically poor and hopeless level. GitHub is flooded with open issues that remain open for years without any response from Microsoft. The same applies to Azure. The technical support there is also truly terrible, and it’s easy to find horror stories online about people losing access to their accounts and being unable to restore them.
When GoodbyeDPI malware was spreading using the similar template (lots of forked repos with password-protected archives), Github abuse team have instantly deleted it upon my request. Mean response time was 10-15 minutes.
I also deleted files on the file sharing websites, such as mediafire and mega.
My abuse emails followed the clear and understandable email template: your service is hosting malware, here's the link, it's password protected and the password is X, here are virustotal results, here's the original repo which it impersonates, and I want you to delete it.
However I remembered reporting the exact "cheats/cracks" from the post as well, and the response time was up to 5 days.
A bit late, but there was a bug in the GitHub Win32 OpenSSH that was introduced in last October 2024 cumulative update. This was precipitated by a PR from September 2023. It performs a permissions check on the logs and other folders, and apparently enforces the permissions it expects, as the service crashes/does not start. This seems to affect Windows platforms more as opening an affected location in Windows Explorer probably prompts the user that access is denied, and would you like to update the permissions. https://github.com/PowerShell/Win32-OpenSSH/issues/2282
Some time ago i was asked to help installing a mode for Plants vs. Zombies - a PVZ Fusion mode.
When searching for it I found multiple, some had download from github repos. None was looking trustworthy enough, so I didnt download any. But I hesitated a little.
From how they looked, I think now that was the kind of malware the author describes.
If you've identified GitHub repositories hosting malware, you can report them directly to GitHub via their Abuse Report page, providing links and any relevant details. GitHub typically removes repositories that violate their Acceptable Use Policy, but response times may vary. If the malware is actively being used for harm, you may also consider reporting it to security organizations or CERT teams.
One thing I appreciate about Github is that every time I've reported something, I've felt like an actual human went through my report and actually read the things I wrote. Perhaps it's a bit silly to appreciate basic human interaction, but for so many online environments the only interaction you'll ever see is done through chatbots and automated work flows.
I may have missed the part where the author reported these to github but they're not going to be removed it nobody actually reports them. What a lot of effort put in to seemingly give up at a crucial final step.
pretty sure this is an LLM generated comment
> response times may vary
Waiting six months for Github to remove malicious repositories is unacceptable.
Ooh, these types of malwares are very old.
Most fun you can have is to generate real-like looking data (there are tools for that) and mass send them to these discord webhooks.
;-)
An unscrupulous individual might even send malware.
What's concerning is that this repository appears to be the template that much of this malware was built from: https://github.com/Jalynn0922/steal-cook. This repo mentioned in the article has existed on GitHub for 3 years without being taken down.
Also, I am seeing firsthand that AI is not good at detecting this stuff. Claude's main problem in a code review of one of its descendants was the unethical use of an aim-bot.
edit: to clarify, my concern is about how this can exist on Github for 3 years. Thank you for compiling this and sharing your review. Great work.
It’s not included in the list since it’s the stealer itself - it’s not misleading, it says “stealer”/“grabber”. But yeah the fact that it’s out still there is scary
"Or why you should never download game mods"...
Like everything else, you shouldn't blindly search on github - or any other download site.
Only download from links referred from the official site if there's any, or the game's forum, or any other trustable and human reviewed source.
Best part is people downloading them and turning EVERYTHING off - running it as admin, antivirus off, everything. How can you trust something random off the internet that much?
Not random, but let's take this example:
https://forums.beamdog.com/discussion/87952/icewind-dale-2-e...
There is no official Enhanced Edition for IWD2 and there will never be because the source code is lost.
This is a fan made mod that patches the original binaries in memory to add stuff like wide screen support etc. And it triggers your anti virus because of that.
It's perfectly fine as long as you download it from the official sources.
> Less then 10% of them have open issues with complaints - others look just fine.
I don't know why anyone running one of these schemes to distribute malware would even enable the issues tab on github, let alone not delete every issue posted containing keywords like malware, trojan, virus, etc. with a script.
Are hidden until approved issues not supported on github? Is this caused by some limitation of creating these repos programmatically?
These people are following a guide. They don’t know the details of GitHub.
They don’t care about people who know enough to check the issues. They’re fishing for the people who blindly download and run things, not who look under the hood.
Good point. I hadn't considered it might be intentional, like spam emails using poor grammar and appearing more scammy to select for easier marks.
>Yes, Redox creates and starts sqlite to gather all the data in a good-looking way.
Is that saying it creates a sqlite database? I kind of doubt it. I think more likely is it uses sqlite to read from existing sqlite databases that exist on disk, to steal data from them.
I must admit, sometimes reading gists and other repos on fixing hardware issues I think, "am I downloading malware?".
Better to have an attitude that Github is malware and a healthy skepticism of any repo?
Just deleting them is not so useful. It would be better to uncover the people behind them and who use the collected data.
Some honeypot scheme or social engeneering against them.
Ideas?
First image in the article reminds me of draw.io diagrams. Is this a drawio theme/library or some other tool was used to create it?
https://excalidraw.com/ probably
Yep that looks like it. I also found that drawio indeed supports sketch theme: sketch.diagrams.net
the font seems to be Excalifont indeed
The problem is this can be anything, not just mods and cracks. That's why I keep separate laptop for banking. This may not help if hackers take over the router. But still better than nothing.
I've been reporting these repos forever, they just keep on coming.
npm is full of this shit too, eg. https://www.npmjs.com/package/openssl-node which I reported weeks ago but is still sitting there.
I always thought it was amusing that if you ask about pirating Windows or Office you get a link to GitHub.
Microsoft is alright in my book. Let GitHub be free.
No?
Maybe could stop people from being able to git pull them without a confirmation, but deleting does not make sense
Just don't allow direct downloads or clones. It will solve a lot, although not many.
We could make an open source database. Then very simple browser extension to place a very prominent warning on any GitHub repo page that happens to be suspected malware.
I guess the problem is that only helps those who already know they need to watch out for this sort of thing, not the users most likely to be pwned.
Lets do it.
No
If there is no malware allowed on GitHub, I guess malware researchers have to use somewhere else to host their code. Which would be a preferable outcome, honestly.
This raises a big question: How effective is GitHub’s abuse reporting system against large-scale malware campaigns? If 1,000+ malicious repos can persist for months, does this mean GitHub lacks automated scanning or relies too much on user reports?
The abuse reporting on GitHub completely sucks. You need to send a support ticket, which typically takes more than a month to get a reply to. And if by that time the comment or repo has been deleted they'll say "well it's deleted now, so we can't do anything". Because yes, I'm going to let spam sit around for over a month on my repo... :-/
Can't you just report it and hide it?
Automated scanning is easily bypassed - just fine-tune the submission until it passes the checks.
Insufficient. Reporting is a fairly manual process, has UX issues which discourage reporting, and is heavily rate limited.
Response times can very from hours to what feels like months, and they rarely handle reports based on patterns of abuse.
> If 1,000+ malicious repos can persist for months
3 years unfortunately
I mean, do a search for "steal cookie": https://github.com/search?q=steal+cookie&type=repositories
This one has been up for two years: https://github.com/Aker490/Steal-Cookie-Roblox
It would be good to hear an official response from GitHub on where the boundaries are, since it seems like there's plenty of examples of clearly malicious repos hosted for years.
Is it really a problem to host malware on github?
If you claim in the repo description that it's not malware in order to trick people into downloading it, then definitely yes.