Gitpaste-12, the worm that propagates via GitHub and uses GitHub and Pastebin to host malicious payload, is active again with new exploits. Earlier, the worm was found exploiting 12 vulnerabilities, and now it has returned with over 30 vulnerability exploits. This worm targets IoT devices, Linux systems, and open-source components.

Quick insights

The worm was first discovered in late-October, targeting Linux-based servers and IoT devices. 
  • The recent attacks use payloads hosted on a new GitHub repository, which includes a Linux-based cryptominer, a list of passwords for brute-force attacks, and a statically linked Python 3.9 interpreter.
  • The first phase of the worm’s initial system compromise still uses previously-disclosed vulnerabilities. However, a recent version of this worm expanded the extent of those attack vectors.
  • The recent sample, named X10-unix, is a UPX-packed binary created using the Go programming language. Compiled for x86_64 Linux systems, this variant exploits 31 known vulnerabilities.
  • Many of these targeted vulnerabilities are new, with some being disclosed as recently as September, such as those in vBulletin (CVE-2020-17496) and Tenda routers (CVE-2020-10987).

Other recent activities

Hackers can often be observed abusing vulnerabilities to gain access inside a targeted network or propagate their malware. Last month, the Gitpaste-12 malware was discovered exploiting eleven previously-disclosed vulnerabilities such as CVE-2017-5638, CVE-2013-5948, CVE-2020-10987, and more.


Cybercriminals will continue to attack organizations using new and updated malware that exploit vulnerable IoT and smart devices. Thus, experts recommended using a reliable anti-malware solution, regularly updating the operating system and applications, and updating and patching every IoT device.

Cyware Publisher