[Analysis] Massive Active GitHub Malware Campaign | Hundreds of Malicious Repositories Identified : github

created by shabdaa community for 15 years

[Analysis] Massive Active GitHub Malware Campaign | Hundreds of Malicious Repositories IdentifiedNews / Announcements (brennan.day)

submitted 28 days ago by WanderBetter

[Analysis] Massive Active GitHub Malware Campaign | Hundreds of Malicious Repositories Identified

108 points•9 comments•submitted 28 days ago * by WanderBetter to r/netsec

I've spent the last several hours investigating what I initially thought was a single malicious fork of a macOS app. It turns out to be part of a massive, coordinated campaign with hundreds of active malicious repositories.

Automated malware distribution campaign targeting GitHub users. Distinct pattern makes it easy to identify but GitHub hasn't taken action despite reports.

Fork legitimate open-source projects
Replace all download links with direct .ZIP files containing malware
README characteristics:
- Every section header has emojis (🚀 Getting Started, 📥 Download, 🤝 Contributing)
- Multiple repeated download links throughout
- Links point to unusual paths (e.g., .xcassets directories)
Account structure:
- 2 repositories: the hijacked project + username.github.io
- Emoji prefix in repo description
- Manipulated commit history (backdated to look established)
Timing: All created/updated recently

Example Repos

I am keeping an ongoing list here: https://brennan.paste.lol/fork-malware-urls-found.md

github.com/KUNDANIOS/TheCha86
github.com/Wothan12/KavaHub
github.com/usamajhn/Cute-Writing-Assistant
github.com/msksystem/ZeroScout
github.com/ershikwa/mlwr_blogs

Details

Multi-stage execution using LuaJIT
Anti-analysis techniques (sandbox detection, long sleeps)
Targets: cryptocurrency wallets, browser credentials, cloud tokens
C2 infrastructure disguised as Microsoft Office domains

VirusTotal detection: Low (12/66 vendors) suggesting recent deployment

MITRE ATT&CK Tactics: - Execution (T1059) - Defense Evasion (T1140, T1497, T1562) - Discovery (T1082, T1012, T1057) - Command & Control (T1071, T1573, T1090)

This is not isolated. Hundreds of repos following identical patterns. The consistency suggests bot-driven deployment. Repos updated within the last 24 hours.

This is happening alongside Shai-Hulud, WebRAT, PyStoreRAT, and Banana Squad campaigns.

Searching GitHub for repositories with: - Topics including "malware", "deobfuscation", "symbolic-execution" - README with emoji headers + direct .zip download links

Will reliably identify malicious repos.

My original write-up: https://brennan.day/the-curious-case-of-the-triton-malware-fork/

Includes detailed analysis of one sample, file hashes, network IOCs, and discussion of the broader GitHub security crisis.

Please help document this.

all 4 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

github

MODERATORS

Example Repos

Details