GitHub comments used to distribute malware (BleepingComputer)

> I think the "right" solution here would be to change `/microsoft/vcpkg/` to `/comments/username_of_comment_author/`, or something like that.

This seems like the right answer, yeah.

This rhymes with a previous exploit of this type: if you made a PR against a repository, you could link to files via that repository and your commit hash, and they'd look like they were part of the repository. GitHub's fix was to show a banner saying they weren't part of the repository.

What is interesting, is that this is the same git repo that was mentioned in another LWN article's comments (https://lwn.net/Articles/967866/) regarding the actions of a specific user that was (probably innocently) suspected of being involved with the XZ attack, because of their actions (being pushy about updating a version to the vulnerable xz version) in an issue for that repo.

I would say it's probably just a random co-incidence, but I am not surprised that devs and maintainers are now looking carefully at their own, and other important projects for signs of attack (e.g. the ZSH Plugin Manager video from 8 days ago).

Yes, it makes sense that the files associated with a comment appear as belonging to the owner of the comment, not the owner of the repo where the comment was made. Also, the files are uploaded and linked even if the comment is abandoned and never posted; another sane measure would be to delete the files if the comment is not posted or gets deleted later.