GitHub fake-repository infostealer campaign
Campaign
Summary
Hide ▲
Show ▼
A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads. The operation uses README links and spoofed download pages to push a ZIP archive that side-loads a trojanized DLL into a signed updater. The payload can bypass Chrome’s App-Bound Encryption and steals browser, wallet, messaging, and credential data. Several dozen redirectors were still active at report time, keeping the delivery chain live.
Related Happenings
BoryptGrab infostealer variant delivered via fake GitHub repositories
Malware Activity
H score30
First: 14.07.2026 22:15
Last: 14.07.2026 22:15
Sources 1
How related:
The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems:
About this happening:
A **BoryptGrab** infostealer variant is being delivered through **fake GitHub repositories**, expanding a credential-theft operation that can drain browser, wallet, and messaging...
BoryptGrab infostealer variant delivered via fake GitHub repositories
Malware ActivityHow related: The information stealer appears to be a variant of the BoryptGrab family, targeting the following data from infected systems:
About this happening: A **BoryptGrab** infostealer variant is being delivered through **fake GitHub repositories**, expanding a credential-theft operation that can drain browser, wallet, and messaging...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Timeline
-
14.07.2026 22:15 1 articles · 1h ago
Fake GitHub repositories impersonate software projects to deliver infostealer malware
Campaign Scope UpdateStarting June 26, a threat actor published 292 fake GitHub repositories that impersonated legitimate software and security projects to steer users toward malicious download pages and infostealer malware. The campaign pulled traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.
Show sources
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15
-
14.07.2026 22:15 2 articles · 1h ago
Arctic Wolf identifies the GitHub impersonation campaign and partial takedown
Initial DisclosureOn 2026-07-14, Arctic Wolf described a campaign that used README links and spoofed download pages to deliver rotating ZIP archives containing trojanized libcurl.dll and a signed WinGUP updater, which side-loaded the DLL to run an in-memory infostealer tied to the BoryptGrab family. GitHub had removed a large portion of the malicious repositories, but several dozen GitHub Pages redirectors were still active, and the variant could bypass Chrome’s App-Bound Encryption through direct code injection into the browser process.
Show sources
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15
- Nearly 300 GitHub repos pose as legit software to push malware — www.bleepingcomputer.com — 14.07.2026 22:15