Trend Micro resellers have found out that the GitHub Codespaces feature, which has been publicly available since November 2022, can be used to deliver malware.

GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit and run code in their browsers through a container environment running in a VM.

One of the features provided by GitHub Codespaces allows developers to share redirected ports from a VM both privately and publicly, for real-time collaboration.

A private port can only be accessed through a URL, while public ports can be accessed by anyone with a URL, without any form of authentication.

According to Trend Micro, this collaboration feature can be used by attackers with accounts on GitHub to host malicious scripts, ransowmare and other types of VPO.

The researchers were able to create a Python-based HTTP server on port 8080 and publicly share the forwarded port, while noting that the URL can be accessed by anyone, since it does not include cookies for authentication.

Port forwarding in GitHub Codespaces is usually implemented via HTTP, but developers can switch to HTTPS, which will automatically make the port closed.

According to Trend Micro, an attacker can create a simple script to repeatedly create a code space with a public port and use it to host malicious content — in fact, a web server with an open directory containing malware - and configure it to be automatically deleted after the URL has been accessed.

Thus, attackers can easily abuse GitHub Codespaces to quickly deliver malicious code by publicly opening ports in their codespace environments.

Since each created codespace has a unique identifier, the subdomain associated with it is also unique, which gives the attacker enough reasons to create different instances of open directories.

While there is no evidence that such a technique was used in the wild, but as you know, attackers often abuse free cloud services and platforms in conducting campaigns.

To reduce the risk of identified threats, developers are advised to use only the code they can trust, make sure they use only recognized and supported container images, and protect their GitHub accounts with strong passwords and 2FA.

In addition, GitHub plans to add a request to users to confirm that they trust the owner when connecting to the codespace.

The developer, in turn, recommends that GitHub Codespaces users follow the recommendations for ensuring security and minimizing the risks associated with their development environment.