Banana Squad’s GitHub Malware Attack Targets Developers
▼ Summary
– A new campaign by the group Banana Squad exploited GitHub to distribute malicious Python code disguised as legitimate hacking tools.
– Researchers found 67 trojanized repositories mimicking real projects, using hidden backdoor code concealed with long space strings.
– The campaign reflects a shift in supply chain attacks, with attackers using covert tactics on platforms like GitHub despite reduced malicious uploads on PyPI and npm.
– Banana Squad previously targeted Windows with malware in Python repositories, which were downloaded nearly 75,000 times before removal.
– ReversingLabs recommends verifying repositories, avoiding single-repo accounts, monitoring suspicious domains, and using differential analysis tools to mitigate risks.
Cybersecurity experts have uncovered a sophisticated malware campaign targeting developers through compromised GitHub repositories. The operation, linked to a threat group called Banana Squad, distributed trojanized Python files disguised as legitimate hacking tools across 67 fake repositories.
Security firm ReversingLabs found that attackers exploited GitHub’s interface to hide malicious code using long space strings, making it invisible in standard views. This tactic marks a shift in software supply chain attacks, where threat actors increasingly abuse trusted platforms like GitHub rather than package repositories such as PyPI or npm.
Banana Squad first gained attention in late 2023 for uploading Windows-targeting malware to Python repositories, which were downloaded nearly 75,000 times before removal. Their latest campaign cloned legitimate project names to trick developers into downloading infected files. Each fake account typically hosted only one repository, a red flag indicating malicious intent.
The repositories contained deceptive “About” sections filled with keywords, emojis, and dynamically generated strings to appear authentic. Researchers identified malicious domains like dieserbenni[.]ru and 1312services[.]ru as part of the attack infrastructure.
Hidden payloads within the Python files used Base64, Hex, and Fernet encryption to evade detection while executing backdoor functions. Although GitHub has taken down all identified repositories, the full impact remains unclear, experts warn that many developers may have unknowingly installed the malware.
To protect against similar threats, security professionals recommend:
- Verifying repositories against trusted sources before useAs supply chain attacks grow more sophisticated, developers must remain vigilant when sourcing third-party code. GitHub’s swift takedown highlights the importance of collaboration between researchers and platform providers to mitigate emerging threats.
(Source: InfoSecurity Magazine)
