I just attempted this myself by creating an issue, commenting a file, copying the link and not submitting the issue.
It seems to work initially, but then 5m later the file gets deleted and the link leads to a dead s3 asset page.
So I believe this is fixed. Though the solutions suggested below are crafty, trying to reproduce myself shows me this has been addressed by the GH team
Maybe. Haven't tried it. Though, that does make the attack vector a little less intense than persisting even without an issue. At least the attack vector can be tracked.
fwiw, I tested this out as well by clicking open issue and uploading a file and then not actually submitting the issue. the file is still accessible 2 days later.
Just want to point out that GitHub removing the asset after 15 minutes is actually worse than leaving it. The least appetizing aspect of this for adversaries is that your payload is now forever available to anyone with the logs. If it were adversary’s choice (submit the issue and it stays, only draft the issue and it gets wiped, good riddance, a phenomenal c2 stager indeed!)
It seems to work initially, but then 5m later the file gets deleted and the link leads to a dead s3 asset page.
So I believe this is fixed. Though the solutions suggested below are crafty, trying to reproduce myself shows me this has been addressed by the GH team