Attackers Can Abuse GitHub Codespaces for Malware Delivery

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.

Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a container-based environment that runs in a virtual machine (VM).

One of the features that GitHub Codespaces provides enables developers to share forwarded ports from the VM, either privately or publicly, for real-time collaboration purposes.

The private port can only be accessed via its URL, while publicly shared ports can be accessed by anyone with the URL, without any form of authentication.

According to Trend Micro, this collaboration feature can be abused by threat actors with accounts on GitHub to host malicious content, including scripts, ransomware, and other types of malware.

“Moreover, the barriers of costs in creating a Codespaces environment are now lower compared to creating a cloud service provider (CSP) account where you need a credit card to become a subscriber, be it in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and many others,” Trend Micro notes.

The cybersecurity firm says it was able to create a Python-based HTTP server on port 8080, shared the forwarded port publicly, and noticed that the URL could be accessed by anyone, as it did not include cookies for authentication.

Ports are typically forwarded on GitHub Codespaces via HTTP, but developers can change the protocol to HTTPS, which automatically makes the port private.

According to Trend Micro, an attacker could build a simple script to repeatedly create a codespace with a publicly exposed port and use it to host malicious content – essentially a webserver with an open directory containing malware – and set it to automatically delete itself after the URL has been accessed.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories,” Trend Micro says.

The cybersecurity firm says there is no evidence that this technique has been abused for nefarious purposes, but notes that threat actors are known to abuse free cloud services and platforms in malicious campaigns.

“In a scenario abusing this [technique], the attacker can manipulate the publicly shared port to infiltrate and deploy malicious content in a victim’s environment since the domain associated with the exposed port is unique and likely have never been flagged by security tools,” Trend Micro concludes.

To mitigate the risk, developers are advised to only use code they can trust, to make sure they only use recognized and well-maintained container images, to secure their GitHub accounts with strong passwords and with two-factor authentication (2FA), and to follow the best practices for using GitHub Codespaces.

SecurityWeek has emailed GitHub for a comment on Trend Micro’s findings and will update this article as soon as a reply arrives.

UPDATE: GitHub has provided the following statement:

GitHub is committed to investigating reported security issues. We are aware of this report and plan to add a prompt to users to validate that they trust the owner when connecting to a codespace. We recommend users of GitHub Codespaces follow our guidelines to maintain security and minimize risk of their development environment.

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories

Related: GitHub Account Renaming Could Have Led to Supply Chain Attacks