Cloud-based developer environments allow developers to virtually code from anywhere and start right from their smartphones, tablets, or any device with a browser and an internet connection. GitHub Codespace (CS) is one such feature-rich, cloud-based service from Microsoft that enables developers to build software from anywhere.
After its availability was made public in November 2022, any GitHub user could create at least two active CS instances and use them for free with limits on storage, processing power, and duration. CS instances are isolated virtual machines (VMs) hosted on Azure that can be accessed using the web browser, GitHub CLI, or other integrated developer environments (IDEs) such as VSCode and JetBrains, among others. Since any GitHub user could create CS environments, it did not take long for attackers to find ways to abuse this service.
In January 2023, we shared a proof of concept showing how an attacker could abuse a feature allowing the exposure of ports on GitHub CS to deliver malware with open directories. It should be noted that open directories aren’t new and threat actors have been documented using these for serving malicious content such as ransomware, exploit kits, malware samples, and the like.