Cybercriminals Target GitHub Users with 67 Fake Hacking Tool Repositories

Security researchers have identified a malicious campaign where attackers created over 67 fraudulent GitHub repositories masquerading as legitimate Python hacking tools while actually distributing malware-infected software.

This operation, dubbed "Banana Squad" by ReversingLabs, appears to be an extension of a previous 2023 attack targeting the Python Package Index (PyPI) with fake packages that were downloaded more than 75,000 times and contained data-stealing malware for Windows computers.

The investigation builds upon earlier research from SANS's Internet Storm Center in November 2024, which exposed a fake "steam-account-checker" tool on GitHub. This tool secretly downloaded additional Python malware capable of compromising the Exodus cryptocurrency wallet and transmitting stolen information to an external server at "dieserbenni[.]ru."

Through deeper examination of the repository and associated malicious infrastructure, researchers discovered 67 weaponized GitHub repositories that copied the names of legitimate projects to deceive users.

The campaign specifically targets individuals seeking software like account management tools and gaming cheats, including Discord account cleaners, Fortnite external cheats, TikTok username checkers, and PayPal bulk account checkers. GitHub has since removed all identified malicious repositories.

"Malicious backdoors and compromised code in public source repositories like GitHub are becoming increasingly common and pose a significant threat to software supply chains," explained ReversingLabs researcher Robert Simmons. "Developers using these open-source platforms must carefully verify that repositories actually contain the expected content."

GitHub Emerges as Prime Malware Distribution Platform

This discovery highlights GitHub's growing role as a preferred malware distribution channel. Earlier this week, Trend Micro revealed 76 malicious GitHub repositories operated by the "Water Curse" threat group to deploy multi-stage malware targeting credentials, browser data, and session tokens while establishing persistent system access.

Additionally, Check Point uncovered another campaign utilizing the "Stargazers Ghost Network" criminal service to distribute Java-based malware to Minecraft players. This network consists of multiple GitHub accounts that spread malicious content through fake repositories designed to appear legitimate through artificial engagement metrics.

"The network includes numerous accounts that distribute harmful links and malware while performing activities like starring, forking, and subscribing to malicious repositories to boost their credibility," Check Point researchers noted.

The company believes these "GitHub 'Ghost' accounts represent just one component of a broader Distribution-as-a-Service ecosystem operating across multiple platforms."

Checkmarx previously exposed elements of the Stargazers Ghost Network in April 2024, revealing how attackers use fake engagement and frequent updates to artificially boost repository popularity and improve search rankings. These repositories cleverly disguise themselves as legitimate projects related to popular games, cheats, or utilities like cryptocurrency trackers and betting prediction tools.

Backdoored Tools Target Aspiring Cybercriminals

These campaigns intersect with another attack strategy targeting inexperienced cybercriminals searching for ready-made malware and attack tools on GitHub through compromised repositories.

Sophos recently highlighted the trojanized Sakura-RAT repository, which contained malicious code that infected users who compiled the malware with information stealers and remote access trojans when executed on their systems.

The compromised repositories serve as delivery mechanisms for four distinct types of backdoors embedded in Visual Studio PreBuild events, Python scripts, screensaver files, and JavaScript. These backdoors steal data, capture screenshots, communicate through Telegram, and download additional payloads including AsyncRAT, Remcos RAT, and Lumma Stealer.

Sophos identified at least 133 backdoored repositories in this campaign, with 111 containing PreBuild backdoors and others hosting Python, screensaver, and JavaScript-based threats.

The security firm believes these activities connect to a Distribution-as-a-Service operation running since August 2022, using thousands of GitHub accounts to distribute malware through gaming cheat, exploit, and attack tool repositories.

While the exact distribution methods remain unclear, researchers suspect the attackers also leverage Discord servers and YouTube channels to promote links to their malicious repositories.

"The connection between this campaign and previously reported operations remains uncertain, but this approach appears popular and effective, suggesting it will likely persist in various forms," Sophos concluded. "Future campaigns may potentially shift focus beyond inexperienced cybercriminals and gaming cheat users to target different user groups."