Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Nearly 300 GitHub repos pose as legit software to push malware
    News

    Nearly 300 GitHub repos pose as legit software to push malware

    adminBy adminJuly 14, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Nearly 300 GitHub repos pose as legit software to push malware

    A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

    The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

    The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

    image

    Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.

    In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page.

    Fake GitHub repository featuring badges of authenticity
    Fake GitHub repository featuring badges of authenticity
    Source: Arctic Wolf

    The landing pages feature wording and branding designed to inspire trust, such as a button named “Download Secure Content” and spoofed trust badges.

    Analyzing the code for the delivery page, the researchers noticed that it relies on “a single templated HTML/JS artifact reused across all impersonated brands.”

    ” Its client-side script parses the URL path into two segments – path[0] as a user_code (the “rotating” path token, e.g., yyvxx9rswefr, which tracks the referring repository/redirector), and path[1] as the referrer domain (e.g., Arctic-Wolf[.]github.io),” Arctic Wolf says.

    Visible branding is derived from a second segment when it is rendered, by replacing the hyphens with spaces and applying the proper title cases.

    The malicious landing page
    The malicious landing page
    Source: Arctic Wolf

    According to the researchers, the page delivers a large ZIP archive, whose name and payload is changed roughly every minute. Inside the archive is a trojanized libcurl.dll and a legitimate, signed WinGUP updater that gets a different name based on the impersonated product.

    “When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.”

    The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems:

    • Passwords, cookies, payment information, and other data from 19 web browsers
    • Data of 32 cryptocurrency wallet brands
    • Telegram sessions, Discord tokens, and Steam session tokens
    • Credentials for Meta’s Max messaging application
    • Windows Credential Manager contents
    • Files from Desktop and Documents whose names or extensions suggested passwords, recovery phrases, wallets, backups, etc.
    • Screenshots, system details, and installed-software lists

    The researchers note that this variant of BoryptGrab exhibits a previously undocumented capability to bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.

    The stolen data is compressed before being sent to a Russia-based command-and-control (C2) server.

    The stealer's execution and data-theft flow
    The stealer’s execution and data-theft flow
    Source: Arctic Wolf

    Arctic Wolf reports that the malware does not establish persistence on the host and is instead designed to collect as much data as possible in a single execution.

    Similarly, there’s no anti-analysis layer at all, and the temporary directory where the collected data is stored during exfiltration staging isn’t wiped, leaving forensic evidence behind. 

    At the time of Arctic Wolf’s report, GitHub had removed a large portion of the malicious repositories, though the researchers report that several dozen GitHub Pages redirectors still remained active.

    The researchers couldn’t attribute the campaign to a specific threat actor, though they assess that the operator is likely Russian-speaking and financially motivated.

    Arctic Wolf concludes that the success of the campaign depends entirely on users trusting “free downloads” of premium software tools and recommends caution when interacting with unofficial GitHub pages.

    The researchers shared a Yara rule for detecting this activity along with indicators of compromise (IoCs) associated with BoryptGrab.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleWindows 11 KB5101650 & KB5099414 cumulative updates released
    Next Article SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now
    admin
    • Website

    Related Posts

    News

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026
    News

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026
    News

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.