BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

Malware hidden in 300 fake GitHub repos posing as legit software

Originally published on: July 15, 2026
▼ Summary

– A threat actor created 292 fake GitHub repositories impersonating software and security products to distribute infostealer malware.
– The campaign targeted users searching for security tools, cryptocurrency services, developer utilities, and gaming software.
– The malware steals data from 19 web browsers, 32 cryptocurrency wallets, and messaging apps like Telegram and Discord.
– It uses a trojanized libcurl.dll side-loaded by a legitimate signed executable to run an infostealer variant of BoryptGrab.
– The malware collects data in a single execution without persistence, and GitHub removed most repositories but several dozen redirectors remained active.

A threat actor has published hundreds of fake GitHub repositories that impersonate legitimate software and security projects, all designed to distribute infostealer malware to unsuspecting victims.

The campaign successfully attracted traffic through search results for a wide range of high-interest topics, including security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software. Once a user lands on these deceptive pages, the malware collects data from more than 19 web browsers, steals information from 32 different cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

Cybersecurity firm Arctic Wolf identified the malicious activity after discovering that one of its own products was being impersonated in the campaign, which began on June 26. In total, researchers uncovered 292 fake repositories, each containing a README file with a download link that directs visitors to a malicious download page. These landing pages feature carefully crafted wording and branding designed to inspire trust, including a button labeled “Download Secure Content” and spoofed trust badges.

Analyzing the code for the delivery page, the researchers noticed that it relies on a single templated HTML and JavaScript artifact reused across all impersonated brands. The client-side script parses the URL path into two segments: the first serves as a user code that tracks the referring repository or redirector, while the second provides the referrer domain. Visible branding is derived from this second segment when it is rendered, by replacing hyphens with spaces and applying proper title cases.

The malicious page delivers a large ZIP archive whose name and payload change roughly every minute. Inside the archive is a trojanized libcurl.dll and a legitimate, signed WinGUP updater that receives a different name based on the impersonated product. When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.

The information stealer appears to be a variant of the BoryptGrab family, targeting a wide array of sensitive data from infected systems. This includes passwords, cookies, payment information, and other data from 19 web browsers, data from 32 cryptocurrency wallet brands, Telegram sessions, Discord tokens, Steam session tokens, credentials for Meta’s Max messaging application, Windows Credential Manager contents, and files from Desktop and Documents whose names or extensions suggest passwords, recovery phrases, wallets, or backups. The malware also captures screenshots, system details, and lists of installed software.

Researchers note that this variant of BoryptGrab exhibits a previously undocumented capability to bypass Chrome’s App-Bound Encryption through direct code injection into the browser process. All stolen data is compressed before being sent to a Russia-based command-and-control server.

Arctic Wolf reports that the malware does not establish persistence on the host and is instead designed to collect as much data as possible in a single execution. Similarly, there is no anti-analysis layer at all, and the temporary directory where the collected data is stored during exfiltration staging is not wiped, leaving forensic evidence behind.

At the time of Arctic Wolf’s report, GitHub had removed a large portion of the malicious repositories, though several dozen GitHub Pages redirectors still remained active. The researchers could not attribute the campaign to a specific threat actor, though they assess that the operator is likely Russian-speaking and financially motivated.

Arctic Wolf concludes that the success of the campaign depends entirely on users trusting “free downloads” of premium software tools and recommends caution when interacting with unofficial GitHub pages. The researchers have shared a Yara rule for detecting this activity along with indicators of compromise associated with BoryptGrab.

(Source: BleepingComputer)

Topics

fake github repos 98% infostealer malware 97% boryptgrab variant 95% cryptocurrency theft 93% browser data theft 92% chrome app-bound bypass 90% social media theft 88% arctic wolf research 87% malicious landing pages 86% dll side-loading 85%