Github Rendering Vulnerability Used by Hackers

[h8d13]

Select Topic Area

Bug

Body

I have found many packages using some weird stuff to hide code in plain sight.

https://github.com/ngat02/hayday-farming/blob/main/math.py
Taken down !! Nice :)

https://github.com/corvin-rose/hayday-farm-bot/blob/master/math.py
Problem is there are 10's of them... This one's profile even links to a private website.

Thanks to Eric Parker https://www.youtube.com/watch?v=qgR88PEYXYE&t=70s
We now do know what it does behind the scenes!

The other side is figuring out the techniques used on the "front", github.

There are 10's of similar packages for many game automation, that look like viruses.

import os                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     import numpy as np


def dist(self, p1, p2):
    return np.sqrt((p1[0] - p2[0]) ** 2 + (p1[1] - p2[1]) ** 2)print('cvqciujl')

Is it because of markdown and hydration abuse ?
Also used math.py might be the reason?

Anyways. This would install requests, cryptography and fernet not ideal for a open cv bot.

When you actually paste the code into an IDE you find a
';'importbase64';'exec with a long string and that's never good.
If you're feeling crazy, this the b64 payload: https://pastebin.com/M8cps9iB

What is weird is that github seems to not be rendering this but delivering it regardless?

Also not a single virus scanner flags this?
Whats weird is that even if you do check the github carefully (I was just wondering why name a file "math") it looks normal. 99% sure this helps hide it from many safety checks.

I didn't go further into the reverse. Found many other duplicates of this for HayDay but also many other "patience" games labeled as working bots.
Worst part is they might even kind of work, while you're reversed shell'd you can have some wheat, maybe, perhaps. Also aimed for a younger audience, more prone to not realizing what is going on.

I did end up making one just for the fuck of it and hopefully to save some computer resets or worse.

https://github.com/h8d13/HayDay/blob/main/README.md

But ultimately there might be an issue with how the markdown is abused to look normal and could be replicated to any repo.

Sidenote: Also they are botting stars/forks for more downloads.

After a little more digging....

https://pastebin.com/6d8TPAZa

This show us the full technique used to hide the code.

Firefox even already gives off several warnings about the page yet none on the page.

About 300 errors of low level and 1 high:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src https://github.githubassets.com” utils.js:42:10

It also uses a:

<href>https://github.com/codespaces/new/ngat02/hayday-farming/tree/main?resume=1

I'm guessing these are hotkeys to hide the code using a trigger event that is never triggered?

The hidden tags and react nodes seem like they could easily be flagged ?
This makes me think of 2010 SEO hacks where you'd put h2s everywhere hidden in a white banner xD

Real question now is how many packages have this in them... There is at least 3 clones of this one and some with screenshots. One of them with 26 stars and 10 "forks".

As you can see with the readme files of these projects, it's clearly botted contribs due to pattern being always hidden in math or any predefined system package, and with a whole project that looks legit before diving in.

My ultimate question is how this is exploited when ran in elevated env, because we already know it pings back somewhere due to request library, the other question is what it does on host.

I hope there is something GitHub devs are able to do about this. As this could affect any github user that uses contributed packages and due to the fact even however thorough you are, you just can't see it. :)

---

EDIT: Got a lot of comments on Eric Parker's video suggesting that a simple line of code could word wrap and at least have GitHub users aware of the hidden code. Which I found insightful, as it is literally just a front-end question at that point.

As for hiding stuff in math.py, I'm 90% sure this helps bypass certain checks for virus tools.

[h8d13]

2 weeks, 100k views on YT thanks to Eric. Yet,
https://github.com/corvin-rose/hayday-farm-bot/blob/master/math.py

It's still up. Do something. Literally you can see kids in issues are getting hacked.

[ghostinhershell]

Hi @h8d13, 👋🏻 We really appreciate you flagging this. The best route to get this to the proper GitHub team is to use our abuse reporting tools. Here's all the info:

**- Reporting abuse or spam

• Reporting a user**
• Reporting an issue or pull request
• Reporting a comment

You can report behavior and content that violates community guidelines and terms and these reports go straight to our Trust and Safety teams for further investigation and removal. I've also reported this on my end as well.

Thank you for flagging this!

[h8d13]

Great ! Well I reported them about 50 times, and if you read any of the post they automate the creation, stars, forks and posting of said malicious repos.