- ArcticWolf uncovered 292 malicious GitHub repositories that counterfeited legitimate tools and products and delivered a new BoryptGrab infostealer variant
- Malware steals from 19 browsers, 32 crypto wallets, messaging apps, Steam and Windows Credential Manager and uniquely bypasses Chrome’s App-Bound Encryption via code injection
- Most repos have been removed, but some remain active; GitHub’s popularity makes it a prime target, underscoring the need to vet code before use
Russian actors have reportedly created hundreds of malicious GitHub repositories that masquerade as legitimate software but act as a dangerous info stealer.
Cybersecurity researchers ArcticWolf discovered the campaign after finding their own products counterfeited as part of the attack.
In total, the researchers found 292 fake repositories that faked things like security products, developer tools, macOS tools, games, and more. Each repository contained a README file with the download URL.
Obviously malicious
Victims who download the program get a variant of the BoryptGrab infostealer family that retrieves data from 19 browsers (passwords, cookies, payment information), 32 cryptocurrency wallets, Telegram, Discord, and Steam sessions, Meta’s Max credentials, Windows Credential Manager data, and more. It can also exfiltrate files from the desktop and documents and take screenshots.
While most of the features can be found in other BoryptGrab variants, this one is unique in a sense that it can bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.
Although it has not been specifically said that the threat actors are Russian, the compressed data is later sent to a Russia-based command-and-control (C2) infrastructure.
What is also worth mentioning is that the malware is not designed to last. It has no anti-analysis layer and doesn’t even try to hide itself in any particular way. It does not establish persistence and simply tries to grab as much sensitive data as it can on the first try.
The attack, which appears to have started in the last days of June, is almost foiled now that most of the malicious repositories have been removed from GitHub. Referring to “researchers”, Bleeping Computer reported that several dozen still remain active.
Due to its importance and popularity in the open source community, GitHub is currently one of the most targeted platforms on the Internet, which is why it is important to double-check and examine every piece of code before applying it to a project.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



