Study Suggests Risk of Malware Infection from GitHub-Hosted PoC Exploits is Over 10%

A recent study, conducted by researchers at Leiden Institute of Advanced Computer Science, suggests the risk of being infected with malware from downloading proof-of-concept (PoC) exploit code from GitHub is more than 10%.

GitHub is a popular code-hosting platform that is used by more than 83 million developers worldwide for contributing to the open source community and sharing, tracking, and controlling changes to their code. GitHub is commonly used by security researchers for publishing PoC exploits for vulnerabilities, which can be used to check the impact of vulnerabilities and test fixes to see if they have been fully remediated.

The researchers determined that GitHub is being increasingly used to host fake PoC exploits. Some of these fake PoC exploits were determined to be prankware, but a significant number contained malware. The researchers analyzed more than 47,300 repositories on GitHub which claimed to provide a PoC for a known vulnerability. The researchers performed an IP address analysis, which compared the publisher’s IP address with public blocklists and VT and AbuseIPDB. A binary analysis was run on the executables and hashes against VirusTotal, and obfuscated files were decoded using hexadecimal and Base64 analyses prior to performing binary and IP checks.

They extracted 150,734 unique IP addresses, of which 2,864 matched blocklist entries, and 1,522 were found to be malicious from the VirusTital scans and 1,069 were present in the AbuseIPDB database. Their binary analysis on 6,160 executables found 2,164 malicious files in 1,398 repositories. In total, 10.3% of the repositories tested were determined to be malicious. The researchers shared their findings with GitHub and the malicious repositories are in the process of being taken down.

The research has highlighted the risks associated with blindly trusting GitHub repositories, and the importance of running a variety of tests on any PoCs that are downloaded prior to executing them. The researchers have proposed an approach that all security researchers should take to ensure any PoCs they download are not malicious.

The study has served as a cleaning exercise to remove malicious PoCs from GitHub; however, the researchers hope that their work will help with the development of an automated solution that could be used to flag malicious elements in code uploaded to GitHub. The researchers are currently working on a detector that could be used for this purpose.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of