Network Security, Malware, Third-party code

Abusing GitHub flaw could compromise GitLab

GitHub symbol

Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.

Exploiting GitLab's comments functionality was noted by BleepingComputer to have enabled the uploading of files that could seem to be from the repositories of Wireshark, Inkscape, and other widely used open-source projects. Moreover, non-posting or later deletion of the comment would not result in the removal of the generated GitLab file.

Such findings indicate the elevated risks associated with the vulnerability, which could be leveraged by threat actors to lure targets into downloading malware-laced counterfeit software or other seemingly trustworthy software. GitLab, Microsoft, and GitHub have already been informed regarding the flaw but have yet to offer comments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.