Skip to content
Tech News
← Back to articles

Nearly 300 GitHub repos pose as legit software to push malware

read original more articles

A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.

In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page.

Fake GitHub repository featuring badges of authenticity

Source: Arctic Wolf

The landing pages feature wording and branding designed to inspire trust, such as a button named "Download Secure Content" and spoofed trust badges.

Analyzing the code for the delivery page, the researchers noticed that it relies on "a single templated HTML/JS artifact reused across all impersonated brands."

" Its client-side script parses the URL path into two segments – path[0] as a user_code (the “rotating” path token, e.g., yyvxx9rswefr, which tracks the referring repository/redirector), and path[1] as the referrer domain (e.g., Arctic-Wolf[.]github.io)," Arctic Wolf says.

... continue reading