GitHub Codespaces, a cloud-hosted integrated development environment (IDE), has a port forwarding feature that malicious actors can abuse to host and distribute malware to unaware developers.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their Codespace environments,” the researchers said.

So Permiso researchers decided to leak their own test AWS key on GitHub, while turning on logging so that they could see exactly what an attacker might ask for, and what the responses might be.