{"id":15120510,"url":"https://github.com/mortenson/pr-sneaking","last_synced_at":"2025-07-09T16:32:58.256Z","repository":{"id":69715847,"uuid":"92688539","full_name":"mortenson/pr-sneaking","owner":"mortenson","description":"A repository demonstrating how you can sneak malicious code into Github PRs","archived":false,"fork":false,"pushed_at":"2017-05-29T22:30:02.000Z","size":93,"stargazers_count":11,"open_issues_count":1,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-09-26T02:09:07.499Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mortenson.png","metadata":{"files":{"readme":"readme.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-28T21:37:44.000Z","updated_at":"2024-04-12T08:17:23.000Z","dependencies_parsed_at":"2023-06-29T19:30:53.716Z","dependency_job_id":null,"html_url":"https://github.com/mortenson/pr-sneaking","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mortenson%2Fpr-sneaking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mortenson%2Fpr-sneaking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mortenson%2Fpr-sneaking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mortenson%2Fpr-sneaking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mortenson","download_url":"https://codeload.github.com/mortenson/pr-sneaking/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225570427,"owners_count":17489885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-26T02:00:40.436Z","updated_at":"2024-11-20T13:58:25.299Z","avatar_url":"https://github.com/mortenson.png","language":"CSS","funding_links":[],"categories":["Techniques"],"sub_categories":["Defense Evasion"],"readme":"# pr-sneaking\n\nThis repository exists to demonstrate methods of sneaking malicious code into\nGithub pull requests.\n\nWhile there has never been a real-world example of this kind of attack before,\nit makes sense to me as an exploit vector. If you want to compromise thousands\nof sites using XSS, all you would have to do is get one piece of malicious code\ncommitted to a common npm package. If your targets are using an automated\nbuild, you could see your exploit released the day after the npm package\nreleases.\n\nSo far I only have two methods of hiding malicious code in a Github PR, but I\nwelcome contribution!\n\n## Example 1: Manually add exploit into minified/compiled code\n\nIn [pull request #1](https://github.com/mortenson/pr-sneaking/pull/1), I fix a\nlegitimate bug in the source code, but after compiling the source with bower, I\nmanually edit the minified JS and add the code `alert('foo')`. By using the\nGithub interface, can you spot the code without using your browser's search?\n\nThis seems trivial, but if you can find a file that is rarely compiled, the\ncode you sneak in could live there for a long time.\n\n## Example 2: Add NULL character and exploit to any file\n\nGithub, and Git for that matter, don't like NULL characters in source code. If\nyou run `git diff` in your command line after adding a NULL character to a\nfile, it doesn't output anything.\n\nGithub has a slightly different behavior, where files with NULL characters are\ndisplayed as \"Binary file not shown\", even if their file type is normal.\n\nIn [pull request #2](https://github.com/mortenson/pr-sneaking/pull/2), I add an\neasily-committable change to source, but manually add an exploit and a NULL\ncharacter to a compiled file. Looking at the diff in Github, would you spot the\nissue? If so, would you still spot it if dozens of files, including binary\nfiles were changed?\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmortenson%2Fpr-sneaking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmortenson%2Fpr-sneaking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmortenson%2Fpr-sneaking/lists"}