Threat actor Banana Squad exploits GitHub repos in new campaign

Trends in open-source software supply chain attacks – ones that exploit the public platforms developers rely on for software development – have changed quite a bit in recent years. While the number of malicious packages uploaded to open-source repositories like npm and the Python Package Index (PyPI) has decreased, the stealth and sophistication of threat actors to pull off less obvious attacks on platforms like GitHub is increasing.

This trend can be seen in a new campaign discovered by the ReversingLabs threat research team, where more than 60 GitHub repositories hosting what at first glance appear to be hacking tools written in Python were actually trojanized look-alikes of other identically named repositories. The adversary behind this campaign, Banana Squad, was first spotted by researchers at Checkmarx in October 2023. The group is named after its earliest malicious domain: bananasquad[.]ru.

In Banana Squad’s original campaign, researchers found that, starting in April 2023, the threat actor was relentlessly deploying hundreds of malicious packages using various usernames. The Windows-based final payloads aimed to steal “extensive amounts of sensitive data,” which include the target’s system, applications, browsers and cryptocurrencies. Researchers noted that the malicious packages accumulated close to 75,000 downloads before the campaign was identified and the packages removed.

To read the complete article see: Reversing Labs.