-
Security researchers uncovered 292 fake GitHub repositories that pretend to be everyday tools people trust to spread malware.
-
The malware, referred to as BoryptGrab, uses some new tricks to avoid detection by Chrome’s protections and steals passwords, crypto wallet data, browser credentials, and even messaging app sessions.
-
GitHub removed many malicious repositories, but some redirect pages stayed online, and experts link the operation to Russian-speaking criminals.
Cybercriminals have turned one of the internet’s go-to platforms for developers into a weapon. Arctic Wolf researchers discovered a huge scam, 292 fake GitHub repositories, set up just to spread malware that grabs people’s personal info.
The investigation started when attackers copied Arctic Wolf’s own GitHub project. Further digging showed this operation was much bigger than just one fake page. The repositories copied names, logos, and descriptions from real software.
They also appeared in search results for widely used security tools, crypto apps, financial software, and even developer utilities.
How the Fake GitHub malware campaign worked
The attackers did not host malware directly on GitHub. Instead, each fake repository contained a professional-looking README file with a download link that appeared official. Victims who clicked the link ended up on an external website made to look trustworthy.
These fake download pages displayed familiar company branding, trust badges, and a big “Download Secure Content” button. Researchers found that every landing page came from the same HTML and JavaScript template. Only the company name changed depending on which software brand the scammers were copying.
Unique tracking values were hidden inside the web addresses. These markers likely helped the attackers figure out which fake repository or redirect page successfully caught victims.
The download process had a clever twist. Each victim received a ZIP file whose name and contents changed about every minute. This frequent change helped the malware avoid detection by security tools that rely on file fingerprints.
Malware runs without touching your hard drive
Inside each ZIP archive hid a real digitally signed copy of the WinGUP updater along with a harmful libcurl.dll file. When victims launched the installer, the real application automatically loaded the fake DLL through a trick called DLL sideloading. The malicious DLL then decrypted and launched the actual malware directly into memory instead of saving it to disk.
Arctic Wolf identified the payload as a version of BoryptGrab, a malware family previously linked to fake software downloads on GitHub. Earlier reports also connected BoryptGrab to follow-on malware like remote access tools and extra credential stealers.
What the malware steals
The malware focuses on grabbing valuable personal and financial information in a single run. According to Arctic Wolf, it goes after:
- Passwords, cookies, payment details, and browsing data from more than 19 web browsers
- Data from 32 cryptocurrency wallet brands
- Telegram sessions, Steam session tokens, and Discord tokens
- Credentials for Meta’s Max messaging app
- Windows Credential Manager entries
- Files stored on the Desktop and in the Documents folders containing passwords, wallet backup, and cryptocurrency recovery phrase.
- Screenshots, system data, as well as a list of installed software.
Researchers also found a new trick in this version. This malware slips past Chrome’s App-Bound Encryption, which guards your saved browser passwords. It doesn’t bother cracking encrypted files head-on. Instead, it injects code right into Chrome’s running process, grabbing sensitive info straight from the source.
Quick theft instead of long-term access
Unlike most modern malware, BoryptGrab doesn’t bother hiding out on a system. According to Arctic Wolf, the malware is quick in collecting information from the infected device.
It later goes on to compress the file and sends it to a C2 server in Russia. It doesn’t set up any backdoors for future access or try to hang around. The operation is a quick grab-and-go for fast money.
The malware also leaves behind evidence. Researchers noted it lacks anti-analysis protections and does not erase the temporary folder used to stage stolen data before transmission. This gives incident responders useful forensic clues to work with.
GitHub removes many repositories, but risks remain
After researchers told GitHub about the problem, the platform removed many of the malicious repositories. However, even after Arctic Wolf published warnings, plenty of redirector sites on GitHub Pages stayed up.
The researchers couldn’t pin down the criminals behind the campaign, but the evidence points to Russian-speaking hackers looking for profit. The threat of browser-based attacks is also evident in fake Chrome extensions, which have been found stealing data from over 300,000 users.
This isn’t just a one-off; it fits a bigger pattern researchers are discovering recently. Earlier this year, researchers documented another large GitHub abuse operation that used hundreds of repositories to spread Windows malware through fake open-source projects. Software repositories remain an attractive delivery platform for cybercriminals.
Arctic Wolf’s advice is pretty straightforward: Only download software from official vendor sites or trusted repositories. If you spot something that’s “free” or a cracked version of paid software, steer clear.
Carefully check GitHub projects before running any installers. The company also shared indicators of compromise and a detection rule to help defenders spot infections tied to this campaign.