Back to Feed
MalwareJul 14, 2026

Nearly 300 GitHub repos pose as legit software to push malware

Nearly 300 GitHub repos impersonated legit software to distribute infostealer malware.

Summary

A threat actor created almost 300 fake GitHub repositories mimicking legitimate software and security projects to distribute an infostealer malware. The campaign targeted users searching for security products, crypto services, and developer tools, leading them to malicious download pages. The malware, a variant of BoryptGrab, steals browser data, cryptocurrency wallet information, and credentials from various applications, exfiltrating the data to a Russia-based C2 server.

Full text

Nearly 300 GitHub repos pose as legit software to push malware By Bill Toulas July 14, 2026 03:15 PM 0 A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware. The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software. The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps. Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26. In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page. Fake GitHub repository featuring badges of authenticitySource: Arctic Wolf The landing pages feature wording and branding designed to inspire trust, such as a button named "Download Secure Content" and spoofed trust badges. Analyzing the code for the delivery page, the researchers noticed that it relies on "a single templated HTML/JS artifact reused across all impersonated brands." " Its client-side script parses the URL path into two segments – path[0] as a user_code (the “rotating” path token, e.g., yyvxx9rswefr, which tracks the referring repository/redirector), and path[1] as the referrer domain (e.g., Arctic-Wolf[.]github.io)," Arctic Wolf says. Visible branding is derived from a second segment when it is rendered, by replacing the hyphens with spaces and applying the proper title cases. The malicious landing pageSource: Arctic Wolf According to the researchers, the page delivers a large ZIP archive, whose name and payload is changed roughly every minute. Inside the archive is a trojanized libcurl.dll and a legitimate, signed WinGUP updater that gets a different name based on the impersonated product. “When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.” The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems: Passwords, cookies, payment information, and other data from 19 web browsers Data of 32 cryptocurrency wallet brands Telegram sessions, Discord tokens, and Steam session tokens Credentials for Meta’s Max messaging application Windows Credential Manager contents Files from Desktop and Documents whose names or extensions suggested passwords, recovery phrases, wallets, backups, etc. Screenshots, system details, and installed-software lists The researchers note that this variant of BoryptGrab exhibits a previously undocumented capability to bypass Chrome’s App-Bound Encryption through direct code injection into the browser process. The stolen data is compressed before being sent to a Russia-based command-and-control (C2) server. The stealer's execution and data-theft flowSource: Arctic Wolf Arctic Wolf reports that the malware does not establish persistence on the host and is instead designed to collect as much data as possible in a single execution. Similarly, there’s no anti-analysis layer at all, and the temporary directory where the collected data is stored during exfiltration staging isn’t wiped, leaving forensic evidence behind. At the time of Arctic Wolf’s report, GitHub had removed a large portion of the malicious repositories, though the researchers report that several dozen GitHub Pages redirectors still remained active. The researchers couldn’t attribute the campaign to a specific threat actor, though they assess that the operator is likely Russian-speaking and financially motivated. Arctic Wolf concludes that the success of the campaign depends entirely on users trusting “free downloads” of premium software tools and recommends caution when interacting with unofficial GitHub pages. The researchers shared a Yara rule for detecting this activity along with indicators of compromise (IoCs) associated with BoryptGrab. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New CrashStealer malware poses as Apple crash reporting toolCritical SimpleHelp flaw exploited to deploy new stealer malwareSteam Workshop abused to spread malware via Wallpaper Engine appNew Shai-Hulud malware wave compromises 600 npm packagesPopular node-ipc npm package compromised to steal credentials

Indicators of Compromise

  • malware — BoryptGrab

Entities

libcurl.dll (product)WinGUP (product)ArcticWolf (vendor)GitHub Pages (technology)