Find notable cyber news and cases, enriched with sources, timelines, and signals.

BoryptGrab infostealer variant delivered via fake GitHub repositories

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

A BoryptGrab infostealer variant is being delivered through fake GitHub repositories, expanding a credential-theft operation that can drain browser, wallet, and messaging data from infected systems. The payload uses a trojanized libcurl.dll and a signed WinGUP updater to sideload and run in memory. It can bypass Chrome's App-Bound Encryption and exfiltrates data to a Russia-based C2 server.

Related Happenings

GitHub fake-repository infostealer campaign

Campaign
H score41 First: 14.07.2026 22:15 Last: 14.07.2026 22:15 Sources 1

How related: A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

About this happening: A **GitHub impersonation campaign** is distributing **infostealer malware** through **292 fake repositories**, expanding the risk to users searching for trusted software downloads...

CrashStealer macOS information stealer activity

Malware Activity
H score10 First: 13.07.2026 20:36 Last: 13.07.2026 20:36 Sources 1

About this happening: **CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
H score22 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
H score47 First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Timeline

  1. 14.07.2026 22:15 1 articles · 1h ago

    Fake GitHub repositories impersonate software and security projects to spread infostealer malware

    Campaign Scope Update

    A threat actor begins publishing fake GitHub repositories that impersonate legitimate software and security projects to distribute infostealer malware, with one Arctic Wolf product impersonated starting June 26 and malicious download pages used to draw visitors from search results and README links.

    Show sources
  2. 14.07.2026 22:15 2 articles · 1h ago

    Arctic Wolf identifies BoryptGrab infostealer delivered through fake GitHub repositories

    Technical Analysis Update

    Arctic Wolf analyzes a BoryptGrab infostealer variant delivered through fake GitHub repositories, noting 292 impersonating repositories, README links to spoofed download pages, a rotating ZIP archive, trojanized libcurl.dll, and a signed WinGUP updater that gup.exe uses for DLL sideloading to execute the payload in memory. The malware steals browser, wallet, messaging, and credential data, bypasses Chrome’s App-Bound Encryption through browser-process injection, compresses stolen data before exfiltration, and leaves forensic evidence because it avoids persistence and does not wipe the staging directory; at report time, GitHub had removed much of the malicious content while several dozen redirectors remained active.

    Show sources