SLIDE 1:
Exploiting Github for C&C
Github is used by developers worldwide for open-source and private projects. Which is why we're focusing on GitHub because it is trusted by many developers, making it an attractive target for attackers.
By taking advantage of Github's features, hackers can upload files to reposetories and use them for malicious activity. A flaw in Github's design allows cybercriminals to exploit by uploading malware in the form of zip files and share them as legitimate release links.

SLIDE 2:
Common Techniques for Hosting Malware
Fake Repositories:
Attackers create repositories mimicking popular software
Users download and run malware thinking it's legitimate software

Forking Legitimate Projects:
Attackers fork a popular project and add malicious code
Users who use the compromised fork unknowingly execute malware

Embedding in Open Source Projects:
Malware embedded in seemingly legitimate open-source projects
Users of the project execute the malware as part of the software 
SLIDE 3:
Real-World Examples (Updated)

Case Study 1: Malware Hosted on Microsoft's Repository
GitHub comments can be used to push malware using GitHub’s CDN.
The following URLs, for example, which were used in the attack made it seem like these ZIPs were present on Microsoft's source code repo:
https://github.com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
however, we learned that these files—which are malware, were nowhere to be found on Microsoft's code repo.

When leaving a comment on a commit or pull request, a GitHub user can attach a file (archives, documents, etc), which will be uploaded to GitHub's CDN and associated with the related project using a unique URL in this format: https://www.github.com/{project_user}/{repo_name}/files/{file_id}/{file_name}
The comment doesn't need to be posted for the link to be generated.

Threat actors can share these URLs on other platforms, tricking users into downloading malware.
https://www.bitdefender.com/blog/hotforsecurity/github-flaw-could-allow-threat-actors-to-distribute-malware-on-gitlab/
https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/ 
pic source: https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/

Case Study 2: Similar Issues on GitLab
https://gitlab.com/inkscape/inkscape/uploads/edfdbc997689255568a7c81db3f3dc51/InkScape-2024-Latest.exe
https://gitlab.com/wireshark/wireshark/uploads/b4162053fbb4dc6ee4f673c532009e16/WireShark-v4.2.4-stable-release.exe

Comparison with GitHub’s Process:
GitLab users can abuse the comments feature to upload files that get stored on GitLab’s CDN.
The URLs make it seem like the files are part of popular repositories, misleading users.
Even if comments are not posted or later deleted, the file links remain active.
Details from BleepingComputer Investigation:
Readers pointed out that GitLab is also vulnerable.
The format for uploaded file links on GitLab is:
https://gitlab.com/{project_group_name}/{repo_name}/uploads/{file_id}/{file_name}
File IDs on GitLab look like MD4 or MD5 hashes.


image and content coursE: https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/