- ArcticWolf discovered 292 malicious GitHub repositories spoofing legitimate tools and products, providing a new variant of the information stealer BoryptGrab.
- The malware steals 19 browsers, 32 crypto wallets, email apps, Steam, and Windows Credential Manager, and uniquely bypasses Chrome’s app-related encryption via code injection.
- Most repositories have been deleted, but some remain active; The popularity of GitHub makes it a prime target, highlighting the need to verify code before use.
Russian actors have reportedly created hundreds of malicious GitHub repositories masquerading as legitimate software, but acting as a dangerous information stealer.
Cybersecurity researchers ArcticWolf discovered the campaign after discovering their own products had been spoofed as part of the attack.
In total, researchers found 292 fake repositories, spoofing things like security products, developer tools, macOS utilities, games, and more. Each repository contained a README file with the download URL.
Obviously malicious
Victims who download the program get a variant of the BoryptGrab infostealer family that scrapes data from 19 browsers (passwords, cookies, payment information), 32 cryptocurrency wallets, Telegram, Discord, and Steam sessions, credentials for Meta’s Max, Windows Credential Manager data, and more. It can also exfiltrate desktop files and documents and recover screenshots.
Although most of the features can be found in other BoryptGrab variants, this one is unique in that it can bypass Chrome’s application-related encryption through direct injection of code into the browser process.
Although it was not specifically stated that the threat actors were Russian, the compressed data is then sent to a command and control (C2) infrastructure based in Russia.
It’s also worth mentioning that the malware is not designed to last. It has no anti-scanning layer and doesn’t even try to hide in any specific way. It does not establish persistence and simply tries to retrieve as much sensitive data as possible on the first attempt.
The attack, which appears to have started in the last days of June, is now almost foiled, as most of the malicious repositories have been removed from GitHub. Citing “researchers”, BeepComputer however, several dozen of them remain active.
Due to its importance and popularity in the open source community, GitHub is currently one of the most targeted platforms on the Internet. This is why it is important to double-check and verify each piece of code before applying it to a project.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




