A large-scale campaign is exploiting developer trust in open-source platforms by leveraging nearly 300 fake GitHub repositories to distribute infostealer malware. Uncovered by BleepingComputer, the scheme involves threat actors creating repositories that closely mirror legitimate software projects, targeting both individual developers and potentially infiltrating corporate networks through deceptive downloads.
At the core of this operation is a coordinated social engineering effort. Researchers found that malicious actors established GitHub repositories acting as near-perfect clones of popular, authentic projects. These decoys replicate detailed descriptions, screenshots, and directory structures to appear genuine, aiming to lure users searching for specific tools into downloading a malicious payload.
The attack method relies on user-initiated actions rather than code embedding. Threat actors place prominent "Download" links within the repository's README files, directing users to external hosting sites. There, victims are prompted to download what appears to be the software binary. This step cleverly bypasses automated code-scanning tools, shifting the burden of detection to human judgment.
The payload is a sophisticated infostealer designed to exfiltrate high-value data. Analysis indicates the malware targets browser credentials, autofill data, and session cookies, alongside cryptocurrency wallet files, seeds, and system information. This data collection enables severe outcomes, including account takeovers, financial theft, and further network compromise.
The campaign primarily exploits behavioral vulnerabilities—the inherent trust developers place in GitHub's platform and its social indicators like stars and forks, which can be artificially inflated to mimic legitimacy. This highlights that repository verification is a critical user responsibility, as superficial metrics offer no assurance of authenticity for newly cloned projects.
This incident underscores persistent software supply chain risks, extending beyond dependencies to the discovery phase. Developers must adopt strict verification protocols, such as checking repository creation dates, contributor histories, and favoring official distribution channels. Simultaneously, platforms need to enhance governance with stronger warnings for external links and stricter flagging of impersonation attempts to safeguard the ecosystem.
一場大規模行動正利用開發者對開源平台的信任,透過近300個虛假GitHub倉庫分發資訊竊取惡意軟件。據BleepingComputer揭露,此計劃涉及威脅行為者建立與合法軟件項目高度相似的倉庫,目標鎖定個別開發者,並可能透過欺騙性下載滲透企業網絡。
此行動的核心是一項協調的社交工程攻擊。研究人員發現惡意行為者建立了近乎完美複製熱門真實項目的GitHub倉庫。這些偽造項目複製了詳細說明、截圖和目錄結構以假亂真,旨在引誘搜索特定工具的用戶下載惡意載荷。
攻擊方法依賴用戶自主操作而非代碼嵌入。威脅行為者在倉庫的README文件中放置顯眼的「下載」鏈接,引導用戶至外部託管網站。受害者在此處會被提示下載看似軟件二進制文件的檔案。此步驟巧妙繞過自動化代碼掃描工具,將檢測責任轉移至人工判斷。
該載荷是一款精密的資訊竊取程式,專門設計用於外洩高價值數據。分析顯示,惡意軟件針對瀏覽器憑證、自動填充數據、會話Cookie,以及加密貨幣錢包文件、種子碼和系統資訊。這些數據收集可能導致嚴重後果,包括賬戶盜用、金融盜竊及進一步的網絡入侵。
此行動主要利用行為漏洞——開發者對GitHub平台及其社交指標(如星標和分叉)固有的信任,而這些指標可被人為抬高以模仿合法性。這突顯了倉庫驗證是用戶的關鍵責任,因為表面指標無法保證新複製項目的真實性。
這次事件突顯了持續存在的軟件供應鏈風險,範圍已擴展至發現階段。開發者必須採取嚴格的驗證協議,例如檢查倉庫創建日期、貢獻者歷史記錄,並優先使用官方分發渠道。同時,平台需加強治理,為外部鏈接提供更強警示,並更嚴格地標記冒充嘗試,以保障生態系統安全。
