Researchers warn that hackers can use GitHub Codespaces to host and deliver malware.

According to a new report from Trend Micro, threat actors can abuse the port forwarding feature in GitHub Codespaces to host and distribute malware and malicious scripts.

GitHub Codespaces became widely available for free in November 2022. The cloud-based integrated development environment (IDE) allows developers and organizations to customize projects by configuring dev container files.

Many developers prefer it for its pre-configured, container-based environment equipped with all the necessary tools and dependencies needed for their projects. Codespaces helps by “easing pain points in project development”, according to Trend Micro.

The Trend Micro report demonstrates how GitHub Codespaces can also be configured to act as a web server for distributing malicious content while potentially avoiding detection due to the traffic coming from Microsoft.

Fast, easy and cheap — also for hackers

GitHub Codespaces allows developers to forward TCP ports to the public so external users can test or view applications. When forwarding ports in a Codespace VM, the GitHub feature will generate an URL to access the app running on that port, which can be configured as either private or public.

If the application port is shared privately, browser cookies are used and required for authentication. However, if ports are shared with the public, attackers can abuse the feature to host malicious content such as scripts and malware samples.

In addition, the Trend Micro report points out that the barriers of costs in creating a Codespaces environment are lower compared to creating a cloud service provider (CSP) account, where one needs a credit card to become a subscriber. This makes the feature even more attractive to hackers.