Netskope Threat Protection recently blocked several GitHub Pages sites that were infected by Ramnit. This post explores how these sites came to be infected by Ramnit and discusses the potential reach an attacker has when they compromise a GitHub repository.
Disclosure
Netskope reported the accounts infected with Ramnit to GitHub on 3 October 2019.
GitHub pages
GitHub Pages are public web pages usually hosted on GitHub’s github.io domain at a URL formatted ‘username.github.io’. GitHub Pages also comes with a powerful static site generator called Jekyll. Jekyll uses templates to convert markdown into static HTML content as shown in Figure 1.