SOCRadar® Cyber Intelligence Inc. | Threat Actors Use GitHub Codespaces Feature to Distribute Malicious Content


Jan 18, 2023
4 Mins Read

Threat Actors Use GitHub Codespaces Feature to Distribute Malicious Content

Since its public release in November 2022, GitHub Codespaces has been a popular environment among developers; however, researchers believe threat actors could also use it to launch attacks. According to researchers, Codespaces has a feature that can be abused by an attacker to host and distribute malware

The main reason developers prefer Codespaces is that it provides a pre-configured, container-based environment with all the required tools and dependencies. GitHub Codespaces enables developers to deploy cloud-hosted IDE platforms in virtualized containers, allowing them to write, edit, and run code directly from a web browser. 

How Do Attackers Utilize GitHub Codespaces?

GitHub Codespace is a cloud-hosted programming environment.
GitHub Codespace is a cloud-hosted programming environment.

GitHub Codespaces presents a port forwarding feature to allow developers to forward TCP ports to the public. This way, external users can test or view the applications. Threat actors can leverage the feature to convert their environment into a web server that distributes malware and malicious scripts.

Threat actors may be able to avoid detection or be perceived as a false positive while they keep up the scheme since GitHub is a trusted source. GitHub Codespaces, by default, uses HTTP in port forwarding; this can be changed to HTTPS to deceive any detection tools further. 

The port forwarding feature generates a URL that can be set to private or public to access the app running on that port. A private port forward requires authentication (as cookies or a token) to access the URL. On the other hand, a public port does not require authentication and is accessible to anyone who knows the URL. 

Researchers claim that threat actors could easily exploit public ports. In practice, a threat actor could run the simplest Python web server and upload malware or malicious scripts to the Codespace environment, then open a web server port on their virtual machine, and set the visibility to the public to begin their attack. 

The hosted files can then be accessed via the generated URL. The web server can be used to host phishing schemes or malicious executables. 

More Details

Analysts are also investigating how dev containers in GitHub Codespaces can be used to distribute malware more effectively. A dev container is a pre-configured container containing all the tools and dependencies for a specific project. It enables developers to connect through the version control system, share, and deploy quickly. Attackers can also use the port forwarding feature to download malicious content in their Codespaces environment. 

In a proof-of-concept (PoC) for this, the web server is deleted 100 seconds after the URL has been accessed. Creating a malicious webserver using Codespaces takes less than 10 minutes with the feature, even with no prior knowledge. 

The associated subdomain is also distinct because each newly created Codespace has a special identification number. This gives the attacker enough space to set up numerous open directories. 

GitHub automatically deletes inactive codespaces after 30 days, so attackers are allowed to use the same URL for a full month. 


Although there has not yet been any reported abuse of GitHub Codespaces, the report points out a possibility because threat actors typically prefer to target free platforms that are also recognized by security software. 

Below are common practices to prevent the risk of compromise: 

  • Whenever possible, use reliable code only, such as known GitHub repositories. Verify that the container images used in the dev container configuration are recognized and current. On container registries, be wary of typosquatted, malicious container images. 
  • For GitHub, use strong and unique passwords, and enable 2FA. Attackers may attempt to use existing accounts to gain access to or create a Codespaces environment. 
  • Check out GitHub Codespaces’s security architecture for tips on maintaining security and reducing the risk of an attack. 
  • Use SOCRadar to get alarmed when your used components or digital assets are under an active threat; SOCRadar tracks all security-related issues and brings you actionable feed. Be notified and effectively protect your organization from harm.