Large-Scale Malware Distribution Campaign on GitHub Uncovered
Large-Scale Malware Distribution Campaign on GitHub Uncovered 🚨
A significant malware distribution campaign has been discovered on GitHub, involving 10,000 repositories that are spreading Trojan malware. This alarming situation came to light when a researcher found a duplicate of their own GitHub project appearing in search results, complete with the same name and description.
The copied repository, which falsely listed the original researcher as a contributor, had a recent commit that added a link to a zip archive in its readme. Further investigation revealed that these malicious repositories routinely delete their previous commits and push identical ones, with the only change being the addition of a link to the archive in the readme file.
The zip archive typically contains the following files:
Application.cmdorLauncher.cmdloader.exeorluajit.exeoranother_name.exerandom_name.csoorrandom_name.txtlua51.dll
Interestingly, while submitting a link to the archive on VirusTotal shows 0 viruses, uploading the zip file itself reveals a Trojan inside it.
To assess the full extent of this campaign, a general pattern was established, and a script was created to identify repositories where the readme file was the only updated file in the commit, contained a link to a zip archive, and were not forks of other repositories. After refining the search parameters, the script identified 10,000 repositories matching this pattern, which constitutes 25% of the total repositories searched under these criteria. Many of these repositories have existed for several months, with some lingering for over a year, and GitHub has not automatically detected or removed them.
Initially, GitHub support took a month to remove just two reported repositories. However, updates indicate a persistent issue: GitHub only deleted the repositories specifically reported by the researcher. Even after running the script again and discovering new repositories, these were not removed. The researcher expressed frustration, stating, “They didn’t run my script, and they didn’t write their own script. They didn’t even open this article to see if the list of repositories had changed. They only delete repositories that are reported to them, but they don’t do anything else. That’s why this scheme has been going on for several years now, and will most likely continue.” An article from April 18 confirmed that this Trojan malware involves SmartLoader and StealC. Given the scale of this issue and GitHub’s limited response, the researcher urged: “If any of you have direct contact with GitHub’s security team, please send them a link to this article.”
For more details, check out the full article here: Read full article