Skip to content

Threat actors are using GitHub’s search to distribute malware

  • by
  • 4 min read

Cybercriminals have been using GitHub’s search tool to disseminate malware through intricately designed repositories, which showcase layers of deception and technical nuances and present a substantial threat to unsuspecting users.

According to the researchers, attackers created fake repositories with popular names and topics, using tactics like automated updates and false endorsements to elevate search rankings and dupe users.

The attack chain explained. | Source: Checkmarx

This strategy of crafting repositories with names and themes will likely be searched by unsuspecting users, masquerading them as legitimate projects related to popular topics such as gaming or software tools. They employ tactics to ensure their repositories gain visibility.

Source: Checkmarx

Utilising GitHub Actions, the attackers frequently update the repositories by tweaking files with the current date or minor changes, artificially inflating visibility.

The attackers add stars to repositories through fake accounts, creating a facade of popularity and trustworthiness. The malware remains concealed within .csproj or .vcxproj files, making detection challenging for average users unless they actively search for suspicious elements.

Source: Checkmarx

The malicious payload, embedded within a pre-build event of a Visual Studio project file, carries out malicious actions, including downloading encrypted files based on the victim’s country code.

The attackers can adjust the malware payload based on the victim’s location, although this functionality, as explained by researchers, remains dormant for now.

Although researchers at Checkmarx have yet to pinpoint the exact nature and name of the malware, they have found that the malware associated with this campaign shares similarities with the Keyzetsu clipper malware, targeting cryptocurrency wallets.

Source: Checkmarx

The malware ensures persistence on infected Windows systems by creating a scheduled task that runs the malicious executable daily, bypassing users’ confirmation.

On April 3, the attackers updated their malicious code and distributed a large, padded executable file exceeding conventional security thresholds.

“The attacker had padded the executable with many zeros, a technique used to boost the file size artificially. Due to this padding, the file size exceeded the threshold of many security solutions, VirusTotal being a notable one, preventing the possibility of it from being scanned,” noted Checkmarx.

To create persistence, the malware creates a shortcut file ‘Feedback_API_VS_Service_Client’ that executes at 4 AM without any confirmation prompts.

Source: Checkmarx

Researchers indicate that the campaign has successfully targeted many users on GitHub, as noticed by complaints through Issues and Pull requests.

This attack highlights the continuous risk of using open-source repositories for malware dissemination. Users should stay vigilant and watch for suspicious repository attributes such as high commit frequencies and stargazers with recently created accounts. Manual code reviews and specialised malware detection tools are recommended to mitigate risks associated with open-source code.

In the News: Malicious ads for PuTTY and FileZilla distributing Nitrogen malware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: