Researchers from Trend Micro recently demonstrate how GitHub Codespaces can easily be configured to act as a web server for distributing malware. Launched in November 2022, GitHub Codespaces allows developers to deploy cloud-hosted platforms in virtualised containers to write, edit and run code directly from within a web browser. It also allow developers to forward TCP ports to the public so external users can test or view the application. The researcher claims that this feature can be abused by attackers to host malware on the platform. The attacker can theoretically run a simple python web server, upload malicious scripts or malware to their Codespace. Open a web server port on their VM and assign it to have “public” visibility. This approach allows them to evade detection as the traffic is coming from Microsoft.
This segment was created for the It’s 5:05 podcast