Hackers Hide Remcos RAT in GitHub Repository Comments

The tack highlights bad actors interest in trusted development and collaboration platforms — and their users.

Trusted and widely used software development and collaboration platforms like GitHub and GitLab have become both targets of and vehicles for a growing range of malicious activity.
The latest manifestations of that trend include a malware distribution campaign involving legitimate GitHub repositories and the availability this week of an exploit for a vulnerability that allows an attacker to gain access as any user of GitLab.
The first is an example of how attackers are exploiting the trusted reputation of platforms like GitHub to try and sneak malware past endpoint detection mechanisms. The GitLab vulnerability, meanwhile, highlights the growing exposure to organizations from exploits that give attackers access to code repositories and exfiltrate secrets and data, modify or inject code into software, and manipulate the CI/CD pipeline.
Researchers at Cofense this week
reported a phishing campaign
where a threat actor is attempting to direct targeted victims in the insurance and finance sectors to malware hosted on trusted GitHub repositories. The campaign involves the attacker sending victims tax-themed phishing emails containing a link to a password-protected archive containing Remcos, a remote access Trojan that cybercriminals and state-backed groups alike have used in various
cyber-espionage
and
data theft attacks
over the years.
What makes the campaign noteworthy, according to Cofense, is how the threat actor has managed to sneak the archive files containing the Remcos RAT into legitimate GitHub repositories belonging to trusted entities. Examples of such entities include His Majesty’s Revenue & Customs (HMRC), the UKs national tax authority; New Zealands counterpart, InlandRevenue; and UsTaxes, an open source tax-filing platform.
In each instance, the attacker used GitHub comments to upload a malicious file containing Remcos RAT to the repositories of the respective entities.
Many GitHub repositories allow developers to
comment on ongoing and collaborative software projects
. The comments can cover a wide range of topics, including proposed code changes, documentation and bug-related issues, task creation clarification requests, task management and progress updates, and merge conflict resolution.
GitHub comments are useful to a threat actor because malware can be attached to a comment in a GitHub repository without having to upload it to the source code files of that repository, Cofense security researcher Jacob Malimban wrote in a blog post. This means that any organizations legitimate GitHub repository that allows comments can contain unapproved files outside of the vetted code. Unsanctioned files that someone might submit via GitHub comments end up in a subdirectory that is separate from the one containing the repositorys vetted files, Malimban said. What is especially troubling is the fact that the link to the malicious file will continue to work even if the comment itself gets deleted.
Other threat actors have noticed the opportunity as well. A recent case in point is the
purveyor of the Redline Stealer
, who earlier this year was spotted using no less than
Microsofts own GitHub repository
to host the information stealing malware. In that campaign — as with the new Remcos RAT attacks that Cofense spotted — the threat actor
uploaded the malware as a comment
to Microsofts GitHub vcpkg repository.
Emails with links to domains such as GitHub are effective at skirting secure email gateways because of their trusted reputation. Attackers can, in fact, directly link to their malware in such domains without the need to redirect users to other sites, or without requiring them to use other security bypass techniques like
scanning QR codes
, Cofense said.
The threat actor behind the new Remcos RAT could easily have targeted victims in other sectors as well. But they likely deliberately kept their focus narrow to test how effective the strategy of hosting malware on the GitHub repositories is before attacking others, Malimban surmised.
Meanwhile, the
new exploit
for GitLab targets a
critical authentication bypass
vulnerability (
CVE-2024-45409
) affecting the
Ruby-SAML and OmniAuth-SAML libraries
that GitLab uses to enable SAML-based single sign-on. The exploit script gives attackers a way to abuse the vulnerability to access GitLab in the context of any user. The vulnerability affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) below 16.11.10. The flaw is also present in multiple 17.x.x versions of GitLab.
The exploit is another sign of the growing researcher and threat actor interest in repositories like GitHub and GitLab and their users. Over the past year there have been multiple instances of attacks targeting repos on GitHub, like one involving cyber-extortion that Chilean cybersecurity firm
CronUp reported in June
and another involving the use of
ghost accounts on GitHub
to distribute malware. GitLab users have had their share of security scares to deal with as well, like CVE-2024-45409 and two other recent vulnerabilities (
CVE-2024-6385
and
CVE-2024-5655
) that posed a major threat to the integrity of CI/CD pipelines.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hackers Hide Remcos RAT in GitHub Repository Comments