Over 200 Compromised GitHub Repositories Identified in Targeted Campaign Against Gamers and Developers

Recent cybersecurity research has unearthed an extensive operation where threat actors have published over 67 GitHub repositories that purport to provide Python-based hacking tools but instead deliver malicious trojanized payloads. This operation, dubbed Banana Squad, is seen as a continuation of a previous rogue Python campaign identified in 2023, which targeted the Python Package Index (PyPI) with counterfeit packages that were downloaded more than 75,000 times, containing capabilities to steal information from Windows systems.

The recent findings build upon an earlier report from the SANS Internet Storm Center, which in November 2024 highlighted a disguised “steam-account-checker” tool on GitHub. This tool was designed to execute stealthy operations that involved downloading further Python payloads capable of injecting harmful code into the Exodus cryptocurrency wallet application, exfiltrating sensitive data to an external server.

Further analysis of the malicious repositories and the infrastructure controlled by the attackers revealed 67 trojanized GitHub repositories that impersonate legitimate repositories under the same names. These repositories appear to target users seeking software tools—including account cleaners and cheats for popular games such as Fortnite and services like PayPal. All affected repositories have since been removed by GitHub.

According to ReversingLabs researcher Robert Simmons, “Backdoors and trojanized code in publicly available source code repositories like GitHub are increasingly common and are a significant software supply chain attack vector.” Developers utilizing these open-source platforms are urged to diligently verify that the repositories they are using contain the expected content.

GitHub as a Vector for Malware Distribution

As GitHub becomes a focal point for multiple malware distribution campaigns, it has attracted notable attention from various threat actors. Earlier this week, Trend Micro revealed the discovery of 76 malicious GitHub repositories attributed to a group known as Water Curse, which is engaged in the deployment of multi-stage malware.

These malicious payloads are engineered to extract credentials, browser data, and session tokens while providing the attackers with persistent remote access capabilities to the compromised systems. Additionally, Check Point has disclosed another campaign that employs a criminal service named Stargazers Ghost Network to target Minecraft players with Java-based malware, identifying a collection of GitHub accounts that propagate malware or malicious links through phishing repositories.

The Stargazers Ghost Network consists of numerous accounts disseminating harmful links and malware as well as engaging in actions such as starring, forking, and subscribing to malicious repositories to enhance their semblance of legitimacy. Further investigation revealed that these “Ghost” accounts are part of a larger Distribution-as-a-Service ecosystem.

In April 2024, Checkmarx exposed certain aspects of the Stargazers Ghost Network, critiquing the adversaries’ strategies of using fake stars and frequent updates to artificially embellish repository popularity, ensuring they rank highly in GitHub search results. Repositories are cleverly disguised as legitimate projects, typically linked to well-known games or utilities, including cryptocurrency price trackers.

The ongoing campaigns intersect with another wave of attacks aimed at inexperienced cybercriminals seeking readily available malware on GitHub, often delivered through backdoored repositories. For instance, a trojanized repository labeled Sakura-RAT has been documented to contain malicious code capable of compromising developers who compile it with information stealers and various remote access trojans (RATs).

Overall, cybersecurity researchers have identified a total of 133 backdoored repositories associated with this campaign, with 111 harboring PreBuild backdoors, while the remainder consists of Python, screensaver, and JavaScript backdoors intended to exploit user data, capture screenshots, communicate via Telegram, and fetch additional malicious payloads.

These operations are thought to be tied to a Distribution-as-a-Service (DaaS) model that has been in effect since August 2022, employing thousands of GitHub accounts to disseminate malware disguised within trojanized repositories related to gaming exploits and attack tools. While the exact means of distribution remains somewhat obscure, it is believed that threat actors also leverage platforms like Discord and YouTube to circulate links to these compromised repositories.

The potential for evolving these campaigns into future operations targeting broader groups—beyond novice cybercriminals and gamers seeking cheats—remains a significant concern for cybersecurity experts.