Find notable cyber news and cases, enriched with sources, timelines, and signals.

GitHub fake-repository infostealer campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads. The operation uses README links and spoofed download pages to push a ZIP archive that side-loads a trojanized DLL into a signed updater. The payload can bypass Chrome’s App-Bound Encryption and steals browser, wallet, messaging, and credential data. Several dozen redirectors were still active at report time, keeping the delivery chain live.

Related Happenings

BoryptGrab infostealer variant delivered via fake GitHub repositories

Malware Activity
H score30 First: 14.07.2026 22:15 Last: 14.07.2026 22:15 Sources 1

How related: The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems:

About this happening: A **BoryptGrab** infostealer variant is being delivered through **fake GitHub repositories**, expanding a credential-theft operation that can drain browser, wallet, and messaging...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Timeline

  1. 14.07.2026 22:15 1 articles · 1h ago

    Fake GitHub repositories impersonate software projects to deliver infostealer malware

    Campaign Scope Update

    Starting June 26, a threat actor published 292 fake GitHub repositories that impersonated legitimate software and security projects to steer users toward malicious download pages and infostealer malware. The campaign pulled traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

    Show sources
  2. 14.07.2026 22:15 2 articles · 1h ago

    Arctic Wolf identifies the GitHub impersonation campaign and partial takedown

    Initial Disclosure

    On 2026-07-14, Arctic Wolf described a campaign that used README links and spoofed download pages to deliver rotating ZIP archives containing trojanized libcurl.dll and a signed WinGUP updater, which side-loaded the DLL to run an in-memory infostealer tied to the BoryptGrab family. GitHub had removed a large portion of the malicious repositories, but several dozen GitHub Pages redirectors were still active, and the variant could bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.

    Show sources