Stealthy GitHub Malware Campaign Targets Developers

A recent cybersecurity campaign has emerged, leveraging GitHub to distribute malicious Python code camouflaged as legitimate hacking tools. This operation, linked to the group known as Banana Squad, involved 67 repositories that hosted trojanized files resembling benign open-source projects.

Discovered by cybersecurity analysts at ReversingLabs, the campaign signifies a notable evolution in open-source software supply chain threats. Although the volume of malicious uploads to platforms like PyPI and npm has decreased, attackers are strategically employing more discreet methodologies to target environments such as GitHub.

In this campaign, threat actors manipulated GitHub’s interface, concealing backdoor code with lengthy space strings, effectively rendering the harmful content undetectable under regular scrutiny.

Previously identified by Checkmarx in late 2023, Banana Squad had already captured attention with a series of malware packages intended for Windows that were uploaded to Python repositories during that year, amounting to approximately 75,000 downloads before their removal.

This latest campaign utilized repositories that mirrored legitimate projects in name and function. Each GitHub account generally contained a singular repository, suggesting they were probably counterfeit entities established solely for the purpose of disseminating malicious content. These accounts often incorporated “About” sections filled with thematic keywords, emojis, and unique, dynamically generated strings to enhance their authenticity.

Researchers traced these repositories back to a variety of malicious URL indicators, especially domains such as dieserbenni[.]ru and, more recently, 1312services[.]ru. The covert code embedded within the Python files employed various encoding techniques, such as Base64, Hex, and Fernet encryption, to obscure payload delivery mechanisms.

To safeguard against similar threats, analysts at ReversingLabs propose that developers adhere to the following precautions:

– Verify that repositories correspond with known secure versions.
– Avoid depending solely on single-repository GitHub accounts that display minimal activity.
– Be vigilant for suspicious domains, including dieserbenni[.]ru.
– Utilize tools capable of performing differential analysis of source code.

Following the notification from security researchers, GitHub removed all 67 identified repositories. The exact number of developers potentially impacted by this operation remains unknown; however, due to the extensive nature of the campaign, it is believed that there are likely victims.