Hundreds of GitHub repos found posing as real software to push malware
Russian hackers are trying to sneak infostealers onto people's devices to grab passwords, crypto, and more.
- ArcticWolf uncovered 292 malicious GitHub repositories spoofing legitimate tools and products, delivering a new BoryptGrab infostealer variant
- Malware steals from 19 browsers, 32 crypto wallets, messaging apps, Steam, and Windows Credential Manager, and uniquely bypasses Chrome’s App‑Bound Encryption via code injection
- Most repos have been removed, but some remain active; GitHub’s popularity makes it a prime target, underscoring the need to vet code before use
Russian actors have reportedly created hundreds of malicious GitHub repositories masquerading as legitimate software but acting as a dangerous infostealer.
Cybersecurity researchers ArcticWolf discovered the campaign after finding their own products spoofed as part of the attack.
In total, the researchers found 292 fake repositories, spoofing things like security products, developer tools, macOS utilities, games, and more. Each repository contained a README file with the download URL.
Obviously malicious
Victims who download the program get a variant of the BoryptGrab infostealer family that grabs data from 19 browsers (passwords, cookies, payment information), 32 cryptocurrency wallets, Telegram, Discord, and Steam sessions, credentials for Meta’s Max, data from Windows Credential Manager, and more. It can also exfiltrate files from Desktop and Documents, and grab screenshots.
While most of the features can be found in other BoryptGrab variants, this one is unique in a sense that it can bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.
While it hasn’t been specifically said that the threat actors are Russian, the compressed data is later sent to a Russia-based command-and-control (C2) infrastructure.
What’s also worth mentioning is that the malware is not designed to last. It has no anti-analysis layer, and doesn’t even try to hide itself in any specific manner. It does not establish persistence and simply tries to grab as much sensitive data as it can on the first attempt.
The attack, which seems to have started in the final days of June, is almost thwarted now, since most of the malicious repositories have been removed from GitHub. Citing “researchers”, BleepingComputer reported that several dozen still remain active, though.
Because of its importance and popularity in the open-source community, GitHub is currently one of the most targeted platforms on the internet, which is why it’s important to double-check and vet every piece of code before it’s applied to a project.
Share
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
