Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Can Abuse GitHub Codespaces for Malware Delivery

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.

Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a container-based environment that runs in a virtual machine (VM).

One of the features that GitHub Codespaces provides enables developers to share forwarded ports from the VM, either privately or publicly, for real-time collaboration purposes.

The private port can only be accessed via its URL, while publicly shared ports can be accessed by anyone with the URL, without any form of authentication.

According to Trend Micro, this collaboration feature can be abused by threat actors with accounts on GitHub to host malicious content, including scripts, ransomware, and other types of malware.

“Moreover, the barriers of costs in creating a Codespaces environment are now lower compared to creating a cloud service provider (CSP) account where you need a credit card to become a subscriber, be it in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and many others,” Trend Micro notes.

The cybersecurity firm says it was able to create a Python-based HTTP server on port 8080, shared the forwarded port publicly, and noticed that the URL could be accessed by anyone, as it did not include cookies for authentication.

Ports are typically forwarded on GitHub Codespaces via HTTP, but developers can change the protocol to HTTPS, which automatically makes the port private.

According to Trend Micro, an attacker could build a simple script to repeatedly create a codespace with a publicly exposed port and use it to host malicious content – essentially a webserver with an open directory containing malware – and set it to automatically delete itself after the URL has been accessed.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories,” Trend Micro says.

The cybersecurity firm says there is no evidence that this technique has been abused for nefarious purposes, but notes that threat actors are known to abuse free cloud services and platforms in malicious campaigns.

“In a scenario abusing this [technique], the attacker can manipulate the publicly shared port to infiltrate and deploy malicious content in a victim’s environment since the domain associated with the exposed port is unique and likely have never been flagged by security tools,” Trend Micro concludes.

To mitigate the risk, developers are advised to only use code they can trust, to make sure they only use recognized and well-maintained container images, to secure their GitHub accounts with strong passwords and with two-factor authentication (2FA), and to follow the best practices for using GitHub Codespaces.

SecurityWeek has emailed GitHub for a comment on Trend Micro’s findings and will update this article as soon as a reply arrives.

UPDATE: GitHub has provided the following statement:

GitHub is committed to investigating reported security issues. We are aware of this report and plan to add a prompt to users to validate that they trust the owner when connecting to a codespace. We recommend users of GitHub Codespaces follow our guidelines to maintain security and minimize risk of their development environment.

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories

Related: GitHub Account Renaming Could Have Led to Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.