Skip to Content

GitHub Repositories with Phony PoCs and Malware

Updated on 2022-10-24: GitHub Repositories with Phony PoCs and Malware

In a technical paper published earlier this month, researchers from Leiden Institute of Advanced Computer Science present findings from their study of the distribution of malicious proof-of-concept exploits on GitHub. In their paper, the researchers write, “We have proposed an approach to detect if a PoC is malicious … [that] relies on detecting the symptoms we have observed in the collected dataset, for example, calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. With this approach, we have discovered 4893 malicious repository out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.”


  • Fake exploits have a long history, and more recently, GitHub has become the favorite place to post real as well as fake exploits. Whenever you download an exploit, no matter if it comes from GitHub or other sources, first try to understand what the code is doing and be suspicious if parts of the code are particularly obfuscated or hard to read. Even once you review the exploit, run it with caution on isolated machines.
  • I know you want to download the exploit PoC and try it out in your lab. The message here is that they are often loaded with added malware you’re not expecting. Make sure you fully understand any obfuscated or binary code downloaded before executing it. Leverage OSINT tools like VirusTotal to analyze binaries. Also beware of network connections made / attempted in the lab in case the code is calling for more components or phoning a friend.


Overview: GitHub flood with fake and malicious PoCs

If you’re a security researcher or IT admin tasked with defending your network and you download proof-of-concept code from GitHub, there’s a one in ten chance that you will download and run a fake or malicious exploit, according to the results of a sprawling study performed by academics from Leiden University in the Netherlands.

The researchers said they downloaded and analyzed 47,313 GitHub repositories containing PoC code for known vulnerabilities discovered between 2017 and 2021.

The research team analyzed if the exploit code communicated with known malicious IP addresses, if the exploit contained any obfuscated hexadecimal or Base64 code, or if the exploit contained known trojanized binaries.

The team said that using this analysis method, they identified 4,893 malicious repositories—roughly 10.3% of all the scanned repos. Sixty of these are still live today; the researchers told BleepingComputer in an interview.

Academics said the number of malicious repositories was high in 2019, 2020, and 2021, compared to 2017 and 2018. The researchers argued that this happened because those three years saw “a few CVEs that have had a massive security impact” rather than threat actors focusing on this particular distribution method.

Among the most dangerous examples the research team saw, they found exploits laced with Cobalt Strike backdoors, infostealers, and a plethora of remote access trojans.

Besides obviously malicious PoCs focused on collecting and exfiltrating data or infecting machines with malware, the Leiden University team also saw fake or joke PoCs where there was no malintent, such as your obligatory rick-roll.

GitHub aflood with fake and malicious PoCs

The infosec community went past its childish naivety stage a long time ago, so most researchers and IT admins don’t run PoCs directly on their production systems these days (hopefully 🤞). This study just puts a number on the chances of getting infected with malware if you’re running PoCs shared by some unknown account named PapaSmurf, rather than waiting for someone like Rapid7 or TrustedSec to release one.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.