SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
Summary
Hide ▲
Show ▼
A high-resilience SEO-poisoning campaign is pushing malicious MSI installers through dual-stage GitHub facades, raising the risk that enterprise admins and security staff will install trojanized administrative tools. The operation repeatedly spoofs utilities such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer to reach high-privilege users. Between early December 2025 and April 1, 2026, it deployed 44 GitHub facades, showing sustained effort and rapid repository rotation. The delivery chain is designed to preserve search visibility while redirecting victims to hidden payload repositories.
Related Happenings
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Timeline
-
30.04.2026 14:30 2 articles · 27d ago
Atos TRC discloses SEO-poisoned GitHub facade campaign
Initial DisclosureAtos Threat Research Center (TRC) discloses a high-resilience campaign targeting enterprise administrators, DevOps engineers, and security analysts with SEO-poisoned search results, dual-stage GitHub facades, and malicious MSI installers impersonating tools such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The analysis ties the delivery chain to hidden payload repositories, rapid repository rotation, and Ethereum-based Blockchain-based Dead Drop Resolving (DDR) that queries a public Ethereum (ETH) RPC endpoint and a hardcoded Smart Contract address to retrieve the live C2 server address. The campaign had already deployed 44 separate GitHub facades between early December 2025 and April 1, 2026, and a preliminary alert from KISA&KrCERT/CC provided earlier visibility into the same activity.
Show sources
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30