Find notable cyber news and cases, enriched with sources, timelines, and signals.

SEO-poisoned GitHub facade campaign targeting enterprise admin tools

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A high-resilience SEO-poisoning campaign is pushing malicious MSI installers through dual-stage GitHub facades, raising the risk that enterprise admins and security staff will install trojanized administrative tools. The operation repeatedly spoofs utilities such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer to reach high-privilege users. Between early December 2025 and April 1, 2026, it deployed 44 GitHub facades, showing sustained effort and rapid repository rotation. The delivery chain is designed to preserve search visibility while redirecting victims to hidden payload repositories.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Timeline

  1. 30.04.2026 14:30 2 articles · 2mo ago

    Atos TRC discloses SEO-poisoned GitHub facade campaign

    Initial Disclosure

    Atos Threat Research Center (TRC) discloses a high-resilience campaign targeting enterprise administrators, DevOps engineers, and security analysts with SEO-poisoned search results, dual-stage GitHub facades, and malicious MSI installers impersonating tools such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The analysis ties the delivery chain to hidden payload repositories, rapid repository rotation, and Ethereum-based Blockchain-based Dead Drop Resolving (DDR) that queries a public Ethereum (ETH) RPC endpoint and a hardcoded Smart Contract address to retrieve the live C2 server address. The campaign had already deployed 44 separate GitHub facades between early December 2025 and April 1, 2026, and a preliminary alert from KISA&KrCERT/CC provided earlier visibility into the same activity.

    Show sources