Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Can Abuse GitHub Codespaces for Malware Delivery

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.

Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a container-based environment that runs in a virtual machine (VM).

One of the features that GitHub Codespaces provides enables developers to share forwarded ports from the VM, either privately or publicly, for real-time collaboration purposes.

The private port can only be accessed via its URL, while publicly shared ports can be accessed by anyone with the URL, without any form of authentication.

According to Trend Micro, this collaboration feature can be abused by threat actors with accounts on GitHub to host malicious content, including scripts, ransomware, and other types of malware.

“Moreover, the barriers of costs in creating a Codespaces environment are now lower compared to creating a cloud service provider (CSP) account where you need a credit card to become a subscriber, be it in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and many others,” Trend Micro notes.

The cybersecurity firm says it was able to create a Python-based HTTP server on port 8080, shared the forwarded port publicly, and noticed that the URL could be accessed by anyone, as it did not include cookies for authentication.

Ports are typically forwarded on GitHub Codespaces via HTTP, but developers can change the protocol to HTTPS, which automatically makes the port private.

According to Trend Micro, an attacker could build a simple script to repeatedly create a codespace with a publicly exposed port and use it to host malicious content – essentially a webserver with an open directory containing malware – and set it to automatically delete itself after the URL has been accessed.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories,” Trend Micro says.

The cybersecurity firm says there is no evidence that this technique has been abused for nefarious purposes, but notes that threat actors are known to abuse free cloud services and platforms in malicious campaigns.

“In a scenario abusing this [technique], the attacker can manipulate the publicly shared port to infiltrate and deploy malicious content in a victim’s environment since the domain associated with the exposed port is unique and likely have never been flagged by security tools,” Trend Micro concludes.

To mitigate the risk, developers are advised to only use code they can trust, to make sure they only use recognized and well-maintained container images, to secure their GitHub accounts with strong passwords and with two-factor authentication (2FA), and to follow the best practices for using GitHub Codespaces.

SecurityWeek has emailed GitHub for a comment on Trend Micro’s findings and will update this article as soon as a reply arrives.

UPDATE: GitHub has provided the following statement:

GitHub is committed to investigating reported security issues. We are aware of this report and plan to add a prompt to users to validate that they trust the owner when connecting to a codespace. We recommend users of GitHub Codespaces follow our guidelines to maintain security and minimize risk of their development environment.

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories

Related: GitHub Account Renaming Could Have Led to Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...