A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.
The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.
The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.
Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.
In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page.
Fake GitHub repository featuring badges of authenticity
Source: Arctic Wolf
The landing pages feature wording and branding designed to inspire trust, such as a button named "Download Secure Content" and spoofed trust badges.
Analyzing the code for the delivery page, the researchers noticed that it relies on "a single templated HTML/JS artifact reused across all impersonated brands."
" Its client-side script parses the URL path into two segments – path[0] as a user_code (the “rotating” path token, e.g., yyvxx9rswefr, which tracks the referring repository/redirector), and path[1] as the referrer domain (e.g., Arctic-Wolf[.]github.io)," Arctic Wolf says.
... continue reading