- Cybersecurity researchers identified a large-scale scheme involving over 67 trojanized Python tool repositories on GitHub.
- The campaign targets users seeking account cleaning tools, game cheats, and other utilities by delivering malicious code instead of real software.
- These threats can steal credentials, browser data, session tokens, and even inject Malware into cryptocurrency wallets.
- GitHub has since removed all identified malicious repositories associated with this campaign.
- The same tactics are linked to several groups spreading malware through techniques like fake popularity and cloned repositories.
Researchers have discovered that over 67 repositories on GitHub claimed to offer Python-based Hacking and utility tools, but instead delivered trojanized software designed to steal sensitive data. The campaign has been active since at least 2023 and targets individuals searching for account cleaners, game cheats, and similar applications.
The threat actor behind this activity, known as Banana Squad, used fake repositories that imitate legitimate ones. These repositories distributed programs with hidden malicious features, notably stealing information from Windows systems and injecting code into cryptocurrency wallet apps like Exodus. GitHub has removed all the affected repositories after these findings.
According to ReversingLabs, "Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector." The company urged developers to verify that the code they use is trustworthy.
Other cybersecurity firms have reported similar tactics. Trend Micro recently uncovered 76 more malicious repositories tied to a group called Water Curse, which distributed multi-stage malware to steal passwords and browser data. Check Point detailed another active campaign using so-called Stargazers Ghost Network to spread Java-based malware targeting Minecraft users.
These strategies include boosting the visibility of malicious repositories through fake stars and frequent updates to appear as top results on GitHub searches. Sophos highlighted that some campaigns target amateur cybercriminals who seek easy-to-use malware, only to become victims themselves.
Researchers found more than 133 backdoored repositories in related campaigns, using various methods like Visual Studio PreBuild events, Python scripts, and browser-based files to deliver malware. Some of these efforts appear to be part of a distribution-as-a-service model, using multiple social platforms like Discord and YouTube to spread harmful links.
Sophos warned, "It remains unclear if this campaign is directly linked to some or all of the previous campaigns reported on, but the approach does seem to be popular and effective, and is likely to continue in one form or another."
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Thailand Seeks Public Input on New Crypto Listing Rules Until July 21
- North Korean Hackers Use Fake Crypto Jobs to Spread New RAT Malware
- Hyperliquid’s HYPE Token Plunges 6% After All-Time High Surge
- Circle Narrows Gap as USDC Gains Market Share on Tether’s USDT
- Elon Musk’s X to Add Payments, Investments & X-Branded Cards
