Cybercriminals are exploiting GitHub in a large-scale scam operation, generating thousands of similar-looking fraudulent repositories. The hackers disguise them as cracked software, game aimbots, mods, or other “free downloads” just to infect users with infostealers and hijack sensitive credentials and crypto.
The scheme was unveiled by the security researcher Tim Sh, who found at least 1,115 fraudulent repositories on GitHub built on the template shared by scammers. They only contain a readme file and an archive with malware.
The campaign originates from an undisclosed Russian-language online forum that provides step-by-step guides to anyone who wants to participate and share profits.
The scammers are “spreading hundreds of malicious GitHub repos masked as almost anything "juicy:" popular game mods, "free" cracked apps like Adobe Photoshop and FL Studio, and lots of other things,” the researcher said in a blog post.
Their main goal is to collect the so-called “logs” – files with data from the victims’ computers, such as crypto wallets, cookies, passwords, IPs, and other sensitive information.
The threat actor crowdsources the efforts. They tempt any wannabe hacker to reach 300-500 repositories and start generating 50-100+ logs daily.
Their guide instructs participants to register or preferably buy dozens of GitHub accounts, upload the provided malware as a ZIP or RAR archive (or provide a link to the file hosted on an external platform), and then add a readme file based on the provided template.
Attackers generate a series of topics by combining many listed keywords that help 0-star repositories pop up in organic Google searches, such as “Roblox mod,” “Valorant Aimbot,” “Cracked FL Studio,” and others.
Scammers also use ChatGPT or other chatbots to modify the text, include pictures or videos of mods in action, refer to some well-known repositories or developers, and add fraudulent screenshots from VirusTotal, saying that the extension was checked for malicious activity with a 0/70 score.
The payload is Redox malware.
“As soon as you download and launch any of these, all the data from your computer is collected and sent to some Discord server – where hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts, and social media credentials, and even Steam and Riot Games accounts,” the researcher warns.
“This Redox malware is so scary-simple – 1000-row main.py is not what you expect to see when you hear about an evil malware stealing all the secrets.”
Using a custom script, the researcher identified at least 1,115 similar malicious repositories, of which less than 10% were flagged by users. Many of the repositories remain active despite open issues reporting malicious activity.
The researcher shared all the repositories in a spreadsheet and hoped they could be taken down “ if someone from GitHub reads this.”
Your email address will not be published. Required fields are markedmarked