- Kaspersky finds 15 malicious GitHub repositories posing as proof-of-concept exploits, some made with Gen AI
- Victims receive a ZIP with decoys and a dropper (rasmanesc.exe) that installs the WebRAT backdoor/infostealer
- GitHub removed the repository, but infected users must manually eradicate WebRAT and remain wary of typos in packages
Cybercriminals are now targeting security researchers (and possibly other criminals) through malware-laden fake proof-of-concept exploits hosted on popular repositories, experts have warned.
Cybersecurity researchers Kaspersky said they found 15 malicious repositories hosted on GitHub. These repositories, apparently made with the help of Generative Artificial Intelligence (Gen AI), claimed to provide an exploit for several vulnerabilities discovered and reported in the media.
Among them are a heap-based buffer overflow bug in Windows MSHTML/Internet Explorer, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and an elevation-of-privilege bug in Windows’ Remote Access Connection Manager.
Back door and info thieves
Victims who download packages find a password-protected ZIP archive with an empty file, a fake DLL file that acts as a decoy, a batch file, and a malicious dropper named rasmanesc.exe.
This dropper elevates its privileges, disables Windows Defender, and then downloads the WebRAT malware.
WebRAT is primarily a backdoor, but it also acts as an info stealer. Security researchers said it can steal login credentials for Steam, Discord and Telegram accounts, as well as information from any cryptocurrency wallets and browser add-ons the victim may have installed. It can also use the webcam to spy on its victims and take screenshots.
The campaign appears to have started in September 2025, so it has been active for a few months now. However, GitHub has now removed all the malicious repositories.
However, victims who have already downloaded the packages will not be safe until they remove traces of WebRAT from their systems. Also, they should be wary of downloading additional packages as it is possible that there are more out there that have not yet been discovered.
Because of its size and popularity in the software dev/cybersecurity community, GitHub is a big target for cybercriminals, who often try to bug people’s devices.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
