Cybersecurity researchers disclosed A new company in which the actors threatened more than 67 GITHUB repositories claiming to offer python -based hacking tools, but instead deliver trajonized useful loads.
Activity, codonomena from a banana definite In 2023, as an orientation to the Python Package repository (PYPI) with dummy packages, which were loaded more than 75,000 times and are delivered with the theft of information in Windows systems.
The conclusions are based on Pre -report From the Internet Bora on the Internet in November 2024, which details the assumed that “ceremonial check”, located on GitHub, which included restrained features to download additional useful Python loads, which may introduce malicious code into Cryptocurrency Chaletcurrency App and Cale data (“Dieserbenni () ru”).
Further analysis of the repository and controlled controlled infrastructure led to the detection of 67 Trojanized GitHub repositories, which represent benign repositors of the same name.
There are data that suggest that users looking for software such as tools for cleaning accounts and cheats games such as Discord account cleaner, Fortnite Onternation Cheat, Tiktok user and check -up PayPal account. All the revealed repository has since been removed by GitHub.
“The back and trajonized code in the available source shelters, such as GitHub, are becoming more common and are a growing vector of supply chain attacks,” said Reversinglabs researcher Robert Simans.
“For developers that rely on these open source platforms, you should always double check that the repository you use actually contains what you expect.”
GitHub as a distribution service malware
Development comes the way gitHub is increasingly become The focus of several companies as a distribution vector of malware. Previously this week Trend Micro – Note This revealed 76 malicious gitHub repositories guided by the threatening actor, it calls for the curse of water to deliver multi -stage malicious software.
These useful loads are designed for the credentials, data on the browser and tokens session, as well as to ensure the threat of permanent remote access to the impaired systems.
Then check the point shed light Another company that uses a criminal service known as the Ghost Stargazers Ghost network for Minecraft users with malicious Java -based programs. Stargazers Ghost Network refers to GITHUB accounts that distribute malicious programs or malicious links through phishing.
“The network consists of several accounts that distribute malicious links and malware, as well as performing other actions such as leading roles, forked and subscribing to malicious storage facilities, so that they look legal,” said Check Point.
Cybersecurity campaign also evaluated that such “GitHub” accounts are just one part of a grand picture, and other “ghosts” that work on different platforms, as an integral part of the universe distribution as-a-seervice. “
Some aspects of the Ghost Stargazers network were expose In April 2024, in April 2024, calling for the actor threats to use fake stars and push out frequent updates to artificially overstate the popularity of shelters and make sure that they have popped up on the top of GitHub search results.
These repositories are brilliantly disguised in legal projects, usually related to popular games, readings or tools such as price trackers and forecasting multipliers for emergency games.
These companies also refer to another wave of attack, which directed beginners cybercriminals to find easily available malware and attacks on gitub with rear repositories to infect them with information thefts.
In one case, Sophos identified this month, it was revealed that the Sakura-Raca-ravage was a malicious code that has violated those who have collected malicious software in their systems with stolen information and other Trojans (rats).
Defined repository acts as a pipeline for four different types of back, which are built into the Visual Prebuild studios, Python scripts, screen files and javascript for data theft, shooting screenshots, communicating with a telegram, and more useful loads, including Async Stealer.
In general, the cybersecurity company said it had found at least 133 posterior repositories within the company, 111 contains the back of the previous communication and the other Python, Screen and JavaScript.
Sophos further noted that these activities are probably related to distribution operations as services (DAAS) that has been valid since August 2022And which used thousands of GitHub accounts for distribution of malware, built into the heronized storage facilities, thematic around gaming, feats and attack instruments.
Although the accurate distribution method used in the company is unclear, it is believed that threat subjects are also based on the disorder server and YouTube channels to distribute links to the heronized repository.
“It remains unclear whether this company is directly related to some or all previous companies that have been reported, but the approach seems popular and effective, and is likely to continue in one form or another – Note. “In the future, it is possible that the focus may change, and the threatening entities can focus on other groups except inexperienced cybercriminals and gamers using cheats.”
