logo

Nearly 300 GitHub repos pose as legit software to push malware

ID: a6ee6c76-e6f9-58f8-8d87-4d75ab8bc91e

STIX ID: report--a6ee6c76-e6f9-58f8-8d87-4d75ab8bc91e

Feed Name: Bleeping Computer

Threat Score
75/100

Date Published: 2026-07-14

Date Updated: 2026-07-15

Author: Bill Toulas

...
...

Arctic Wolf researchers uncovered a campaign of 292 fake GitHub repositories impersonating legitimate software and security projects to distribute a BoryptGrab variant that steals browser data, 32 cryptocurrency wallets, messaging tokens (Telegram, Discord, Steam, Meta), Windows credentials, and sensitive files. Victims are lured to malicious landing pages that serve trojanized ZIPs containing a signed updater executable which sideloads a malicious libcurl.dll that reflectively executes the stealer in memory; the malware also uses browser process injection to bypass Chrome App-Bound Encryption and exfiltrates compressed data to a Russia-based C2. GitHub removed many repositories, Arctic Wolf shared Yara rules and IoCs, and the operator is assessed as likely Russian-speaking and financially motivated.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.