Nearly 300 GitHub repos pose as legit software to push malware

July 14, 2026

Nearly 300 GitHub repos pose as legit software to push malware

A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

image

Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.

In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page.

Fake GitHub repository featuring badges of authenticity
Fake GitHub repository featuring badges of authenticity
Source: Arctic Wolf

The landing pages feature wording and branding designed to inspire trust, such as a button named “Download Secure Content” and spoofed trust badges.

Analyzing the code for the delivery page, the researchers noticed that it relies on “a single templated HTML/JS artifact reused across all impersonated brands.”

” Its client-side script parses the URL path into two segments – path[0] as a user_code (the “rotating” path token, e.g., yyvxx9rswefr, which tracks the referring repository/redirector), and path[1] as the referrer domain (e.g., Arctic-Wolf[.]github.io),” Arctic Wolf says.

Visible branding is derived from a second segment when it is rendered, by replacing the hyphens with spaces and applying the proper title cases.

The malicious landing page
The malicious landing page
Source: Arctic Wolf

According to the researchers, the page delivers a large ZIP archive, whose name and payload is changed roughly every minute. Inside the archive is a trojanized libcurl.dll and a legitimate, signed WinGUP updater that gets a different name based on the impersonated product.

“When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.”

The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems:

  • Passwords, cookies, payment information, and other data from 19 web browsers
  • Data of 32 cryptocurrency wallet brands
  • Telegram sessions, Discord tokens, and Steam session tokens
  • Credentials for Meta’s Max messaging application
  • Windows Credential Manager contents
  • Files from Desktop and Documents whose names or extensions suggested passwords, recovery phrases, wallets, backups, etc.
  • Screenshots, system details, and installed-software lists

The researchers note that this variant of BoryptGrab exhibits a previously undocumented capability to bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.

The stolen data is compressed before being sent to a Russia-based command-and-control (C2) server.

The stealer's execution and data-theft flow
The stealer’s execution and data-theft flow
Source: Arctic Wolf

Arctic Wolf reports that the malware does not establish persistence on the host and is instead designed to collect as much data as possible in a single execution.

Similarly, there’s no anti-analysis layer at all, and the temporary directory where the collected data is stored during exfiltration staging isn’t wiped, leaving forensic evidence behind. 

At the time of Arctic Wolf’s report, GitHub had removed a large portion of the malicious repositories, though the researchers report that several dozen GitHub Pages redirectors still remained active.

The researchers couldn’t attribute the campaign to a specific threat actor, though they assess that the operator is likely Russian-speaking and financially motivated.

Arctic Wolf concludes that the success of the campaign depends entirely on users trusting “free downloads” of premium software tools and recommends caution when interacting with unofficial GitHub pages.

The researchers shared a Yara rule for detecting this activity along with indicators of compromise (IoCs) associated with BoryptGrab.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Original article can be found here