Nearly 300 Fake GitHub Repos Are Stealing Passwords and Crypto Wallets: Here's What Happened
A massive campaign using nearly 300 fake GitHub repositories has been stealing passwords, cryptocurrency wallet data, and sensitive information from messaging apps by impersonating legitimate software projects. The threat actor behind the scheme created convincing copies of popular security tools, cryptocurrency services, and developer utilities, then used search engine optimization to trick users into downloading malware instead of the real software.
How Did This Malware Campaign Work?
The attack relied on a deceptively simple but effective strategy. Cybersecurity company ArcticWolf discovered the campaign after finding that one of its own products was being impersonated starting June 26. The researchers then uncovered 292 fake repositories in total, each containing a README file with a download link that directed visitors to a malicious landing page.
The landing pages were designed to look legitimate, featuring professional branding, trust badges, and buttons labeled "Download Secure Content." Behind the scenes, however, the pages delivered a large ZIP archive containing trojaned software. The malware used a technique called DLL side-loading, where a legitimate, signed updater program would load a malicious library file into memory, allowing the infostealer to run without being detected by traditional security tools.
What made this campaign particularly sophisticated was its use of a templated delivery system. The researchers noted that the attacker reused the same HTML and JavaScript code across all 292 repositories, simply swapping out brand names and logos. The system tracked which repository each user came from by parsing the URL, allowing the attacker to measure which impersonated brands were most effective at driving downloads.
What Data Was Being Stolen?
The malware variant, identified as part of the BoryptGrab family, was designed to extract a staggering amount of sensitive information from infected systems. Once executed, it would collect data and send it to a command-and-control server based in Russia within a single session, without establishing persistence on the victim's computer.
- Browser Data: Passwords, cookies, payment information, and other sensitive data from 19 different web browsers
- Cryptocurrency Assets: Data from 32 cryptocurrency wallet brands, putting users' digital assets at direct risk
- Messaging and Social Media: Telegram sessions, Discord tokens, Steam session tokens, and credentials for Meta's Max messaging application
- System Credentials: Windows Credential Manager contents and files from Desktop and Documents folders that appeared to contain passwords or recovery phrases
- System Information: Screenshots, system details, and lists of installed software
One particularly concerning discovery was that this variant of BoryptGrab had a previously undocumented capability to bypass Chrome's App-Bound Encryption through direct code injection into the browser process. This means the malware could extract encrypted data from Chrome that would normally be protected, giving attackers access to passwords and payment information that users thought were secure.
Why Was This Campaign So Successful?
The campaign's success depended entirely on user trust in free downloads of premium software. By impersonating well-known security products, cryptocurrency tools, and developer utilities, the attacker exploited a common assumption that if something appears in search results and looks professional, it must be legitimate. The fake repositories included impersonations of security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.
The attacker also demonstrated operational security awareness by changing the malware payload roughly every minute, making it harder for security researchers to track and block the campaign. Additionally, the malware did not establish persistence or include anti-analysis protections, suggesting the attacker was focused on maximizing data theft in a single execution rather than maintaining long-term access to compromised systems.
How to Protect Yourself From Similar Attacks
- Verify Official Sources: Always download software directly from the official website or verified app store, never from unofficial GitHub pages or search results that may lead to impersonations
- Check Repository Details: Look for verification badges, check the repository's creation date and commit history, and verify that the maintainer matches the official project owner
- Use Multi-Factor Authentication: Enable two-factor authentication on cryptocurrency wallets, email accounts, and messaging apps to prevent unauthorized access even if passwords are stolen
- Monitor Your Accounts: Regularly check your cryptocurrency wallets, email accounts, and financial accounts for suspicious activity, and consider using password managers to detect compromised credentials
- Keep Software Updated: Ensure your operating system, browsers, and security software are fully patched to prevent exploitation of known vulnerabilities
At the time of ArcticWolf's report, GitHub had removed a large portion of the malicious repositories, though several dozen GitHub Pages redirectors remained active. The researchers could not attribute the campaign to a specific threat actor but assessed that the operator was likely Russian-speaking and financially motivated.
ArcticWolf shared detection tools and indicators of compromise to help security teams identify this activity, but the campaign underscores a broader challenge in cybersecurity: the ease with which attackers can create convincing impersonations of legitimate software and distribute them at scale through platforms like GitHub.