Clone, Compile, Compromise Water Curse’s Open-Source Malware Trap on GitHub

Key Takeaways:

A newly identified threat actor, Water Curse, is using weaponized GitHub repositories to deliver multistage malware. At least 76 GitHub accounts are linked to the campaign, with malicious payloads embedded in build scripts and project files.

The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems. Water Curse’s campaign poses a supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams relying on open-source tooling.

Audit open-source tools used by red teams, DevOps, and developer environments, especially those from GitHub. Validate build files, scripts, and repository histories before use.

Trend Vision One™ detects and blocks the IOCs discussed in this blog. For further guidance on how Trend Micro solutions can help gain rich context on threats like Water Curse, see the later section of this report.

For the complete article, see: Trend Micro