- Kaspersky discovers 15 malicious GitHub repositories masquerading as proof-of-concept exploits, some built with Gen AI
- Victims receive a ZIP with lures and a dropper (rasmanesc.exe) which installs the WebRAT backdoor/infostealer
- GitHub has removed the repositories, but infected users should manually eradicate WebRAT and remain cautious of typosquatted packages.
Cybercriminals are now targeting security researchers (and perhaps other criminals) through fake, malware-laden proof-of-concept exploits hosted on popular repositories, experts have warned.
Cybersecurity researchers Kaspersky said they found 15 malicious repositories hosted on GitHub. These repositories, apparently designed with the help of generative artificial intelligence (Gen AI), claimed to provide an exploit for several vulnerabilities discovered and reported in the media.
Among them are a heap-based buffer overflow bug in Windows MSHTML/Internet Explorer, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and an elevation of privilege flaw in Windows Remote Access Login Manager.
Backdoor and information thief
Victims who download packages find a password-protected ZIP archive containing an empty file, a fake DLL file that serves as a lure, a batch file, and a malicious dropper named rasmanesc.exe.
This dropper elevates its privileges, disables Windows Defender, and then downloads WebRAT malware.
WebRAT is primarily a backdoor, but it also functions as an information stealer. Security researchers said it could steal login credentials from Steam, Discord, and Telegram accounts, as well as information from any cryptocurrency wallets and browser add-ons the victim may have installed. He can also use the webcam to spy on his victims and take screenshots.
The campaign appears to have started in September 2025, so it has been active for a few months now. However, GitHub has now removed all malicious repositories.
Nevertheless, victims who have already downloaded the packages will not be safe until they remove all traces of WebRAT from their systems. Additionally, they should be wary of downloading additional packages, as it is possible that there are others that have not yet been discovered.
Due to its size and popularity within the software developer and cybersecurity community, GitHub is a major target for cybercriminals, who often attempt to break into users’ devices.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
