BoryptGrab infostealer variant delivered via fake GitHub repositories
Malware Activity
Summary
Hide ▲
Show ▼
A BoryptGrab infostealer variant is being delivered through fake GitHub repositories, expanding a credential-theft operation that can drain browser, wallet, and messaging data from infected systems. The payload uses a trojanized libcurl.dll and a signed WinGUP updater to sideload and run in memory. It can bypass Chrome's App-Bound Encryption and exfiltrates data to a Russia-based C2 server.
Related Happenings
GitHub fake-repository infostealer campaign
Campaign
H score41
First: 14.07.2026 22:15
Last: 14.07.2026 22:15
Sources 1
How related:
A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.
About this happening:
A **GitHub impersonation campaign** is distributing **infostealer malware** through **292 fake repositories**, expanding the risk to users searching for trusted software downloads...
GitHub fake-repository infostealer campaign
CampaignHow related: A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.
About this happening: A **GitHub impersonation campaign** is distributing **infostealer malware** through **292 fake repositories**, expanding the risk to users searching for trusted software downloads...
CrashStealer macOS information stealer activity
Malware Activity
H score10
First: 13.07.2026 20:36
Last: 13.07.2026 20:36
Sources 1
About this happening:
**CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...
CrashStealer macOS information stealer activity
Malware ActivityAbout this happening: **CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
H score22
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel-Lang PHP package supply-chain credential-stealing campaign
Campaign
H score47
First: 23.05.2026 12:51
Last: 23.05.2026 12:51
Sources 1
About this happening:
A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Laravel-Lang PHP package supply-chain credential-stealing campaign
CampaignAbout this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Timeline
-
14.07.2026 22:15 1 articles · 1h ago
Fake GitHub repositories impersonate software and security projects to spread infostealer malware
Campaign Scope UpdateA threat actor begins publishing fake GitHub repositories that impersonate legitimate software and security projects to distribute infostealer malware, with one Arctic Wolf product impersonated starting June 26 and malicious download pages used to draw visitors from search results and README links.
Show sources
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15
-
14.07.2026 22:15 2 articles · 1h ago
Arctic Wolf identifies BoryptGrab infostealer delivered through fake GitHub repositories
Technical Analysis UpdateArctic Wolf analyzes a BoryptGrab infostealer variant delivered through fake GitHub repositories, noting 292 impersonating repositories, README links to spoofed download pages, a rotating ZIP archive, trojanized libcurl.dll, and a signed WinGUP updater that gup.exe uses for DLL sideloading to execute the payload in memory. The malware steals browser, wallet, messaging, and credential data, bypasses Chrome’s App-Bound Encryption through browser-process injection, compresses stolen data before exfiltration, and leaves forensic evidence because it avoids persistence and does not wipe the staging directory; at report time, GitHub had removed much of the malicious content while several dozen redirectors remained active.
Show sources
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15