{"id":51978,"date":"2023-05-19T00:00:00","date_gmt":"2023-05-19T00:00:00","guid":{"rendered":"urn:uuid:57e4af0f-b3df-cf63-1cfd-2c3a75ca9357"},"modified":"2023-05-19T00:00:00","modified_gmt":"2023-05-19T00:00:00","slug":"rust-based-info-stealers-abuse-github-codespaces","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/","title":{"rendered":"Rust-Based Info Stealers Abuse GitHub Codespaces"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Cover-rust-based-info-stealers-abuse-github-codespaces.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"This is the first part of our security analysis of an information stealer targeting GitHub Actions (GHA) and GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,malware,cyber crime,privacy &amp; risks,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-05-19\"> <meta property=\"article:tag\" content=\"cloud\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces.html\"> <title>Rust-Based Info Stealers Abuse GitHub Codespaces<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces.html\"><br \/>\n<meta property=\"og:title\" content=\"Rust-Based Info Stealers Abuse GitHub Codespaces\"><br \/>\n<meta property=\"og:description\" content=\"This is the first part of our security analysis of an information stealer targeting GitHub Actions (GHA) and GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Cover-rust-based-info-stealers-abuse-github-codespaces.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Rust-Based Info Stealers Abuse GitHub Codespaces\"><br \/>\n<meta name=\"twitter:description\" content=\"This is the first part of our security analysis of an information stealer targeting GitHub Actions (GHA) and GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Cover-rust-based-info-stealers-abuse-github-codespaces.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.658968437259\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1008143413\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.771186440678\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.033898305085\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">This is the first part of our security analysis of an information stealer targeting GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities.<\/p>\n<p class=\"article-details__author-by\">By: Nitesh Surana, Jaromir Horejsi <time class=\"article-details__date\">May 19, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.442169907881\">\n<div readability=\"40.75537359263\">\n<p>Cloud-based developer environments allow developers to virtually code from anywhere and start right from their smartphones, tablets, or any device with a browser and an internet connection. <a href=\"https:\/\/github.com\/features\/codespaces\">GitHub Codespace<\/a> (CS) is one such feature-rich, cloud-based service from Microsoft that enables developers to build software from anywhere.<\/p>\n<p>After its availability was made public in <a href=\"https:\/\/github.blog\/2022-11-10-whats-new-with-codespaces-from-github-universe-2022\/\">November 2022<\/a>, any GitHub user could create at least two active CS instances and use them for free with limits on storage, processing power, and duration. CS instances are isolated virtual machines (VMs) hosted on Azure that can be accessed using the web browser, <a href=\"https:\/\/cli.github.com\/\">GitHub CLI<\/a>, or other integrated developer environments (IDEs) such as VSCode and JetBrains, among others. Since any GitHub user could create CS environments, it did not take long for attackers to find ways to abuse this service.<\/p>\n<p>In January 2023, we <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/abusing-github-codespaces-for-malware-delivery.html\">shared<\/a> a proof of concept showing how an attacker could abuse a feature allowing the exposure of ports on GitHub CS to deliver malware with open directories. It should be noted that open directories aren\u2019t new and threat actors have been documented using these&nbsp;for serving malicious content such as ransomware, exploit kits, malware samples, and the like.<\/p>\n<p>In relation to this, we recently came across <a href=\"https:\/\/www.rust-lang.org\/\">Rustlang<\/a>-based <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Info-stealer\">info stealers<\/a> targeting Windows. Much like the technical details shared in our <a href=\"https:\/\/twitter.com\/TrendMicroRSRCH\/status\/1651831667621855233\">previous Twitter thread<\/a>, these info stealers disguised themselves as applications or platforms. Our investigation showed how these info stealers operate by leveraging <a href=\"https:\/\/docs.github.com\/en\/codespaces\/developing-in-codespaces\/forwarding-ports-in-your-codespace\">exposed ports<\/a> on a CS instance to exfiltrate credentials from an infected machine. In this blog, we detail one of these info stealers masquerading as a popular computer game. This will serve as the first part of the series, to be followed by another entry analyzing how this info stealer is able to persist on the victim machine after it infects an existing installation of Discord.<\/p>\n<p><span class=\"body-subhead-title\">Overview of functions<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure1-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig1-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 1. A brief overview of the first section of this info stealer<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Analyzing the info stealer sample with a decompiler, we noticed a number of interesting function names, including anti-debugging features and stealing data from web browsers, Discord, Steam, and cryptocurrency wallets, among others.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure2-rust-based-infostealers-abusing-github-codespaces.jpg\" alt=\"fig2-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 2. Suspicious functions (top) and when we decompiled the main function of the sample (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.110367892977\">\n<div readability=\"15.635451505017\">\n<p><span class=\"body-subhead-title\">Functions for anti-debugging and anti-analysis<\/span><\/p>\n<p>Initially, the function called <i>malware::anti_debug::detect::hfc268b042e05af6a()<\/i> checks if the sample is running in a controlled environment. The function fetches the username and, later, the current host name to compare it with a list of <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/Usernames-Hostnames-Blocklist-Rust-Based-Info-Stealers-Abuse-GitHub-Codespaces.txt\" target=\"_blank\" rel=\"noopener\">blocklisted usernames and host names<\/a> that might have been used in sandboxes and debugging environments. If any match is found, the stealer process is terminated. For comparison of a similar method, we found a repository of a <a href=\"https:\/\/github.com\/xtekky\/Python-Anti-Debug\/blob\/29ac56ce752a2060cdb91610c22bd6dba5fbf516\/anti-debug.py#L408\">Python-based<\/a> anti-debugger with anti-debugging and anti-analysis procedures implemented.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure3-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig3-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 3. Anti-debug checks implemented by the stealer<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"47.259949463045\">\n<div readability=\"39.797852179406\">\n<p><span class=\"body-subhead-title\">Stolen information breakdown<\/span><\/p>\n<p>In this section, we enumerate the stolen data and processes we found from the infection routine of the info stealer malware.<\/p>\n<p><b>Stealing browser data<\/b><\/p>\n<p>Once anti-debug checks are done and no sandbox or anti-debug environment is detected, the stealer collects the credentials stored in the victim machine, such as passwords, cookies, and credit card information in the following popular web browsers:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">360Browser<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Amigo<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Brave<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Chromodo<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Chromunium (sic)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CocCoc<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Comodo<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Epic Privacy Browser<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Google Chrome<\/span><\/li>\n<li><span class=\"rte-red-bullet\">K-Melon<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Kometa<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Mail.Ru<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Maxthon3<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Nichrome<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Orbitum<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Slimjet<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Sputnik<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Torch<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Uran<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Vivaldi<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Yandex<\/span><\/li>\n<\/ul>\n<p>We observed that \u201cChromunium\u201d is a typo of \u201cChromium,\u201d and it does not work. Neither did we find any public mentions of \u201cChromunium\u201d being a browser. Notably, majority of modern browser codebases are based on <a href=\"https:\/\/www.chromium.org\/chromium-projects\/\">Chromium<\/a>, a free and open-source project, including Microsoft Edge even if it is not found in the stealer\u2019s list for checking.<\/p>\n<p>While analyzing the function <i>malware::browsers::steal_data::h8cac638d5caa2249()<\/i>, however, we also noticed mentions of a function called <i>get_chromunium_targets<\/i>. In an attempt to look for a related stealer code on GitHub, we came across a repository containing a source code in Rust language, which we examined to be an info stealer sending stolen information to the attacker\u2019s webhook. Based on the similarities of the function code, sequence of browsers, and applications being targeted, the info stealer analyzed in this blog post was likely based on or inspired by the stealer we discovered in the GitHub repository.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure4-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig4-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 4. Calling a function named \u201cget_chromunium_targets\u201d in one of the methods from the info stealer<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure5-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig5-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 5. Possible source code related to the info stealer based on function name and capabilities<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"46.337412587413\">\n<div readability=\"37.867132867133\">\n<p>Meanwhile, the collected credentials for each targeted browser are saved under the following files:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Browsers\\&lt;browser_name&gt;\\Default\\Passwords.tx<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Browsers\\&lt;browser_name&gt;\\Default\\Netscape Cookies.txt<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Browsers\\&lt;browser_name&gt;\\Default\\Credit Cards.txt<\/i><\/span><\/li>\n<\/ul>\n<p><b>Stealing cryptocurrency wallet data<\/b><\/p>\n<p>After collecting the browser credentials, the stealer proceeds to steal information from various cryptocurrency wallets. It then targets known wallets from the paths under the <i>&lt;%localappdata%&gt;<\/i> and <i>&lt;%appdata%&gt; <\/i>folders, as identified here:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>\\Armory<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\atomic\\Local Storage\\leveldb<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\bytecoin<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Coinomi\\Coinomi\\wallets<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Electrum\\wallets<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Ethereum\\keystore<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Exodus\\exodus.wallet<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Guarda\\Local Storage\\leveldb<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>\\Zcash<\/i><\/span><\/li>\n<\/ul>\n<p><b>Stealing Discord data<\/b><\/p>\n<p>The stealer also targets the messaging application Discord and looks for Discord tokens. These tokens allow malicious actors to impersonate the victims on the platform once acquired. Once the token is found, it is written to the file <i>Discord Tokens.txt <\/i>located in <i>&lt;%localappdata%\\Microsoft\\Security&gt;.<\/i> The tokens are scanned from the following paths:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>%appdata%\\discord\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%appdata%\\discord\\Local Storage\\leveldb\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%appdata%\\discordcanary<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%appdata%\\discordptb<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%appdata%\\discorddevelopement<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Discord<\/i><\/span><\/li>\n<\/ul>\n<p><b>Stealing Steam data<\/b><\/p>\n<p>The Steam configuration files from <i>&lt;%programfiles(x86)%\\Steam\\config\\&gt;<\/i> are copied to the folder <i>&lt;%localappdata%\\Microsoft\\Security\\Steam\\&gt;<\/i> for later exfiltration. Stolen credentials and configuration files are stored in the following paths and files:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Browsers\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Wallets\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Steam\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>%localappdata%\\Microsoft\\Security\\Discord Tokens.txt<\/i><\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Exfiltration<\/span><\/p>\n<p>The previously collected files are compressed into a file named <i>diagnostics.zip<\/i> and stored in the path &lt;<i>%localappdata%\\Microsoft\\diagnostics.zip&gt;. <\/i>The stealer uses <a href=\"https:\/\/gofile.io\/\">gofile.io<\/a>, a file-sharing platform that allows users to upload and share files anonymously. Initially, the stealer fetches the best available gofile.io server by querying <i>api.gofile.io<\/i>. Depending on the response, the best server to send files to or receive files from is used in the subsequent request in the format <i>storeX.gofile.io<\/i>, where \u201cX\u201d is a number (such as \u201cstore2\u201d in Figure 6).<\/p>\n<p>The stealer then uploads the compressed file via a POST request to the endpoint <i>\/uploadFile<\/i>. The body of the POST request contains the collected credentials from the victim.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure6-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig6-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 6. Requesting the best server for upload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure7-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig7-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 7. Uploading stolen credentials to the gofile server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>In the response, we get the gofile.io URL where the uploaded file is stored. This URL can be accessed by anyone without any authentication. We also get a token in the <i>guestToken<\/i> parameter, which can be used by the uploader to delete the <i>parentFolder <\/i>and <i>fileId<\/i> parameters subsequently. After the gofile.io upload is complete, the query <i>ifconfig.me<\/i> fetches the public IP address of the victim machine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure8-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig8-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 8. HTTP GET request to get the public IP address of the infected machine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.601459854015\">\n<div readability=\"22.76496350365\">\n<p>The last step is submitting the stolen information to the <a href=\"https:\/\/docs.github.com\/en\/webhooks-and-events\/webhooks\/about-webhooks\">Github webhook<\/a> controlled by the attacker. This is the summary of stolen information exfiltrated by the stealer:<\/p>\n<ol>\n<li>List of browsers found<\/li>\n<li>Computer name<\/li>\n<li>Number of cookies extracted<\/li>\n<li>Total number of credit cards extracted<\/li>\n<li>Discord status (if Discord is installed or not)<\/li>\n<li>Number of passwords extracted<\/li>\n<li>Uploaded <i>gofile.io<\/i> URL of <i>diagnostics.zip<\/i><\/li>\n<li>Steam status (if any Steam data was stolen or not)<\/li>\n<li>Username of the user running the info stealer<\/li>\n<li>List of cryptocurrency wallets extracted<\/li>\n<li>Windows operating system version<\/li>\n<\/ol>\n<p>The stealer then embeds all the pieces of information about the victim into a JSON file and sends this via a POST request to a GitHub CS URL. We saw a POST request attempting to exfiltrate the stolen information to the Github CS endpoint that listens at port 8080. Had the CS been active, port 8080 would have been publicly exposed and, requiring no authentication, the exfiltrated information would have been successfully sent to and received by the attacker.<\/p>\n<p>According to our sample and testing, the exfiltration of the data to the webhook had failed with the status error \u201c302 Moved Temporarily.\u201d If we try to access the gofile.io URL, we will see that the file <i>diagnostics.zip<\/i> has been uploaded to the server and can be downloaded by anyone with the URL link because no authorization is required.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure9-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig9-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 9. Failed exfiltration of stolen data to the Github Codespaces webhook <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/figure10-rust-based-infostealers-abusing-github-codespaces.png\" alt=\"fig10-rust-based-info-stealers-abuse-github-codespaces-CS-GHA\"><figcaption>Figure 10. Uploaded file to gofile.io<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.681093394077\">\n<div readability=\"14.863325740319\">\n<p>In the second part of this analysis, we detail our investigation of how this information-stealing malware achieves persistence in the infected machine by modifying the victim\u2019s installation of Discord. We also enumerate our security recommendations and insights on how users and security teams can defend their networks and endpoints against this growing threat.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>Download the full list of indicators <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces\/IOC-list-rust-based-info-stealers-abuse-github-codespaces.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/rust-based-info-stealers-abuse-github-codespaces.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the first part of our security analysis of an information stealer targeting GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":51979,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9521,9511,9513,9536],"class_list":["post-51978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-malware","tag-trend-micro-research-privacyrisks"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Cover-rust-based-info-stealers-abuse-github-codespaces.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Rust-Based Info Stealers Abuse GitHub Codespaces\",\"datePublished\":\"2023-05-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/\"},\"wordCount\":1589,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/rust-based-info-stealers-abuse-github-codespaces.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Privacy&amp;Risks\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/\",\"name\":\"Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/rust-based-info-stealers-abuse-github-codespaces.png\",\"datePublished\":\"2023-05-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/rust-based-info-stealers-abuse-github-codespaces.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/rust-based-info-stealers-abuse-github-codespaces.png\",\"width\":3125,\"height\":2084},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rust-based-info-stealers-abuse-github-codespaces\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Rust-Based Info Stealers Abuse GitHub Codespaces\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/","og_locale":"en_US","og_type":"article","og_title":"Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-19T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Cover-rust-based-info-stealers-abuse-github-codespaces.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Rust-Based Info Stealers Abuse GitHub Codespaces","datePublished":"2023-05-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/"},"wordCount":1589,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/rust-based-info-stealers-abuse-github-codespaces.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Malware","Trend Micro Research : Privacy&amp;Risks"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/","url":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/","name":"Rust-Based Info Stealers Abuse GitHub Codespaces 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/rust-based-info-stealers-abuse-github-codespaces.png","datePublished":"2023-05-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/rust-based-info-stealers-abuse-github-codespaces.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/rust-based-info-stealers-abuse-github-codespaces.png","width":3125,"height":2084},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/rust-based-info-stealers-abuse-github-codespaces\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Rust-Based Info Stealers Abuse GitHub Codespaces"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51978"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51978\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51979"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}