Github is flooded with social engineering attacks and nothing can be done about it?

[macromeer]

Select Topic Area

Question

Body

I opened an issue on a repo and immediately got two identical comments asking me to download something and to install it: napari/napari#7213. Why can't I flag comments or accounts for review such as can be done on other platforms?

[Ammar-Alnagar]

I got the same problem but i noticed more and more are getting flagged as spam and getting removed
\

[konstin]

There is a huge number of these spam comments, they all seem to be pointing to the same link: https://github.com/search?q=%22https%3A%2F%2Fwww.mediafire.com%2Ffile%2Fo50xaz6wgtazqnx%2Ffix.zip%2Ffile%22&type=issues

[ebndev]

@konstin we appreciate you flagging this! I'll go ahead and forward this to be investigated.

[konstin]

We're still getting comments: astral-sh/uv#6675 (comment)

[ebndev]

Hi @macromeer, 👋🏻. The best route to get this to the proper GitHub team is to use our abuse reporting tools. Here's all the info:

• Reporting abuse or spam
• Reporting a user
• Reporting an issue or pull request
• Reporting a comment

You can report behavior and content that violates community guidelines and terms. We are going to close this post, but for this and any future incidents, please refer to the links above.

Thank you!

[konstin]

The reporting-a-user-for-spam form is making me click through a captcha every time is was reporting one of the spam bots, and then the ui also complained that i was reporting too many accounts, even through there were several spam accounts.

[MitchBomcanhao]

The worst bit here is that these seem to be legitimate accounts taken over by whatever virus they've installed. Trashing these accounts altogether might have unintended consequences.

[ebndev]

@konstin I've flagged this to the proper GitHub team so you don't have to report the users 1 by 1 for this case, sorry for that confusing experience!

[ThiefMaster]

Yeah, that reporting form is rather unpleasant to use. It feels exactly like the support ticket form it is. Even the (already convoluted) account reporting process on Instagram is less annoying than this.

[ThiefMaster]

It would be great if GitHub had some internal monitoring for such patterns. Many accounts suddenly posting the same link - especially one never seen before - is suspicious and warrants a human to have a look.

[Aokromes]

still commenting malware links
telegramdesktop/tdesktop#28322 (comment)

[jackpoz]

Just got 4 different users at pnp/powershell#4193 in 5 minutes leaving malware comments. Reported as many as I could before GitHub report system told me I reported too many :P

[wargio]

Virustotal run of the passwordless rar file: https://www.virustotal.com/gui/file/f0e6b26c9bbc64d0724108b2c3b23753ee2232d4975a39489a129e419299250e

[caineblood]

a simple search of all issues for "password: changme" shows over 4k posts with the same malware in the last 32hrs; some have been deleted but there are alot that have yet to be addressed; especially in large/popular gits such as home assistant. https://github.com/search?q=%22password%3A+changeme%22&type=issues

[DecimalTurn]

If you want to get only in the last few days, you need to modify your search query like this: https://github.com/search?q=%22password%3A+changeme%22+updated%3A%3E2024-08-25+&type=issues&s=created&o=desc

The number of these is currently going down and I get roughly 300 results.

[DecimalTurn]

A lot of the remaining results are people replying to the malicious comment and including the original message in their reply.

[caineblood]

After further investigation I have determined that it is automatically replying to new comments; i have had over 30 instances of it immediately replying with another malware link the moment i post a warning.

[caineblood]

they have now changed from mediafire to a bit.ly link, but the gcc and password part is still included.

[Aokromes]

they have now changed from mediafire to a bit.ly link, but the gcc and password part is still included.

yeah now malware is hosted on discord.

[ebndev]

Thanks all for sending updates! The Platform Health team is aware of this issue and are continuing to monitor it.

[Aokromes]

telegramdesktop/tdesktop#28335 (comment) they are back

[MikeMcC399]

@Aokromes The user KrissV2 seems to have been automatically deleted now.

[ThiefMaster]

Yes, I reported KrissV2 maybe half an hour ago and just got a reply from GitHub that "something" has been done about it.

[Aokromes]

@Aokromes The user KrissV2 seems to have been automatically deleted now.

yeah i reported him after write here, i wrote here in case different departament handles this and spam control.

[CypherpunkSamurai]

@ebndev the accounts commenting on the issues are legitimate accounts. I think straight away banning them would be wrong. It could have been from personal token leak or password breach.

I think what could be implemented is a blacklist of links from previous reported comments. If possible with short URL resolver as well to get full URL from links.

To curb the account takeover I think a cooldown and a karma system could be implemented. A user who posts too many links / comments on unrelated issues can have a exponentially increasing cooldown.

It's still commenting
openvax/pyensembl#310

[ThiefMaster]

They now switched to spamming issues.

[SNWCreations]

This issue still persists. I've also spammed by someone just few hours ago and I've reported that. Looking forward to official updates.
The malware also spreads using Discord CDN and named "fix.zip".
I've tricked by that, sorry for my stupid. It is lucky that I've revoked the attacker's session on my GitHub account. If you are attacked, revoke their session on your account before anything got worse!

[konstin]

They are back (astral-sh/uv#7018 (comment)):