Attackers keep using GitHub to distribute malware
GitHub's growing abuse as a malware distribution platform shows no signs of slowing.

GitHub logo. By Getty Images
- Arctic Wolf found at least 292 fake GitHub repositories spreading BoryptGrab malware through trojanized installers.
- The campaign impersonates trusted software projects and uses external download links rather than exploiting GitHub vulnerabilities.
- The Windows malware can steal browser passwords, cryptocurrency wallet data, and other sensitive information from developers.
- GitHub removed many flagged repositories, but researchers expect attackers to keep creating new fake accounts automatically.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Researchers have found an active campaign comprising hundreds of malicious tools posing as trusted software projects to infect developers with information-stealing malware.
Researchers from Arctic Wolf have shared details about a financially motivated threat actor that has published at least 292 fake GitHub repositories in a campaign designed to deliver a variant of the BoryptGrab malware.
The attack does not exploit any vulnerabilities, but rather relies on brandjacking by impersonating legitimate software, security vendors, cryptocurrency services, developer tools, and more.
One of the repos was in fact impersonating Arctic Wolf itself, which spurred the company to dig deeper and uncover the extent of the campaign.
Active since June 26th, 2026, the purpose of the campaign is to distribute infostealer malware that runs exclusively on Windows.
The repositories do not host malware directly. Instead, they feature polished README files designed to look authentic, and prominent download links that redirect victims to external websites that serve trojanized installers.
The attackers rely on DLL sideloading to execute the malware. Once installed, the malware can steal browser credentials, cryptocurrency wallet data, and other sensitive information from the developer’s compromised systems.
A familiar tactic that keeps evolving
The researchers noted that GitHub has already removed a substantial portion of the malicious repositories they flagged. However, they believe the attacker is using automation to register throwaway accounts and will keep spinning up new fake repos.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The findings add to a growing list of campaigns exploiting the trust developers have placed in the Microsoft-owned open-source code-hosting service.
Just last month, researchers uncovered over 10,000 malicious code repositories disguised as legitimate open-source projects.
In the past, investigators have warned that North Korean threat actors were using malware-ridden open source projects to compromise developers through bogus coding assignments.
GitHub has also become fertile ground for social engineering. In one campaign, attackers lured AI developers with fake cryptocurrency prize offers that ultimately led to the theft of credentials and session tokens.
In another, cybercriminals published fake repositories masquerading as Microsoft and Google Chrome tools to harvest passwords and other sensitive data from Windows users.
GitHub remains an indispensable platform for developers. But as campaign after campaign demonstrates, it has also become one of cybercriminals' favorite hunting grounds.