Hundreds of GitHub repos found posing as real software to push malware

Cybersecurity firm ArcticWolf has recently uncovered a troubling campaign involving 292 malicious GitHub repositories that impersonate legitimate software tools. These repositories are part of a sophisticated operation designed to deliver a new variant of the BoryptGrab infostealer, which poses significant risks to users.

Details of the Threat

This malware is particularly concerning as it has the capability to extract sensitive information from a wide range of sources. It targets:

  • 19 different web browsers
  • 32 cryptocurrency wallets
  • Messaging applications such as Telegram and Discord
  • Gaming platforms like Steam
  • Windows Credential Manager

Additionally, it can exfiltrate files from users’ Desktop and Documents folders and even capture screenshots. Notably, this variant distinguishes itself by bypassing Chrome’s App-Bound Encryption through direct code injection, a technique not commonly seen in other BoryptGrab variants.

Despite its capabilities, the malware is not designed for longevity; it lacks an anti-analysis layer and does not attempt to conceal itself. Instead, it aims to harvest as much sensitive data as possible in a single attempt without establishing persistence on the infected system.

Current Status and Implications

The malicious activity appears to have commenced in late June and has since been largely mitigated, with most of the identified repositories removed from GitHub. However, reports indicate that several dozen still remain active, highlighting the ongoing threat.

Given GitHub’s prominence in the open-source community, it has become a prime target for cybercriminals. This situation underscores the critical importance of thoroughly vetting any code before integrating it into projects, ensuring that developers remain vigilant in safeguarding their work and sensitive data.

Tech Optimizer
Hundreds of GitHub repos found posing as real software to push malware