GitHub Malware Campaign Hits 292 Repos
A malicious campaign using hundreds of fake repositories is actively deploying the BoryptGrab infostealer to compromised machines.
Cybercriminals are increasingly weaponizing the software development ecosystem by flooding GitHub with fraudulent projects designed to ensnare unsuspecting users. By impersonating legitimate security, financial, and developer utilities, these actors have successfully established a pipeline for delivering sophisticated information-stealing malware directly to the workstations of victims searching for free software alternatives.
Massive Impersonation Network Discovered
The campaign, which came under scrutiny after Arctic Wolf says it was targeted by one of the fake projects, involves 292 distinct repositories. These pages are carefully crafted to mimic high-trust software and developer tools. To maintain the illusion of legitimacy, the operators utilize spoofed trust badges and deceptive buttons labeled "Download Secure Content," drawing in victims through search engine results for various professional and consumer utilities.
The underlying infrastructure is highly automated. The malicious landing pages rely on a single templated HTML/JS artifact, allowing attackers to pivot between different impersonated brands with ease. Branding is rendered dynamically by parsing URL paths, which effectively hides the scale of the operation while maximizing the versatility of the delivery mechanism.
When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.
— Arctic Wolf, cybersecurity firm
Data Exfiltration and Technical Tactics
Once a victim executes the downloaded file, the malware—a variant of the BoryptGrab family—initiates an immediate data-harvesting sequence. Unlike more persistent threats, this malware focuses on a rapid, one-time grab of sensitive information. The technical execution involves a trojanized libcurl.dll and a signed WinGUP updater that functions in-memory, leaving the host system without traditional persistence mechanisms while still compromising high-value data.
- 292 fake repositories identified in the campaign.
- Data collected from 19 different web browsers.
- Exfiltration of credentials from 32 distinct cryptocurrency wallets.
- Campaign activity officially identified starting June 26.
A notable technical innovation in this variant is its ability to bypass Chrome’s App-Bound Encryption via direct code injection into the browser process. Collected data is subsequently compressed and transmitted to a Russia-based C2 server. While the malware does not attempt to clear its temporary storage, leaving a trail of forensic evidence, its primary goal is the immediate theft of passwords, session tokens, and financial documents.
The Burden of Trust on Developers
This incident underscores the inherent risks in the "free download" culture prevalent within the developer community. Because the malware avoids complex anti-analysis layers, it relies entirely on the user’s willingness to download and execute code from unofficial sources. While GitHub has taken action to purge the majority of these repositories, the persistence of several dozen redirector pages highlights the difficulty of policing high-traffic open-source platforms.
For organizations, the primary takeaway is the necessity of strict software supply chain vetting. Relying on unofficial repository pages—even those that appear professional—creates a significant entry point for infostealer infections. As researchers shared, implementing specific detection rules like YARA can help security teams identify these malicious artifacts before they reach the endpoint, as the cost of a single successful exfiltration event can be catastrophic.