Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead.
The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package Index (PyPI) repository with bogus packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems.
The findings build on a previous report from the SANS’s Internet Storm Center in November 2024 that detailed a supposed “steam-account-checker” tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that can inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server (“dieserbenni[.]ru”).
Further analysis of the repository and the attacker-controlled infrastructure has led to the discovery of 67 trojanized GitHub repositories that impersonate benign repositories with the same name.
There is evidence to suggest that users searching for software such as account cleaning tools and game cheats such as Discord account cleaner, Fortnite External Cheat, TikTok username checker, and PayPal bulk account checker are the targets of the campaign. All the identified repositories have since been taken down by GitHub.
“Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector,” ReversingLabs researcher Robert Simmons said.
“For developers relying on these open-source platforms, it’s essential to always double check that the repository you’re using actually contains what you expect.”
GitHub as a Malware Distribution Service
The development comes as GitHub is increasingly becoming the focus of several campaigns as a malware distribution vector. Earlier this week, Trend Micro said it uncovered 76 malicious GitHub repositories operated by a threat actor it calls Water Curse to deliver multi-stage malware.
These payloads are designed to siphon credentials, browser data, and session tokens, as well as to provide the threat actors with persistent remote access to the compromised systems.
“The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate,” Check Point said.
The cybersecurity company has also assessed that such “GitHub ‘Ghost’ accounts are only one part of the grand picture, with other ‘Ghost’ accounts operating on different platforms as an integral part of an even larger Distribution-as-a-Service universe.”
Some aspects of the Stargazers Ghost Network were exposed by Checkmarx in April 2024, calling out the threat actor’s pattern of using fake stars and pushing out frequent updates to artificially inflate the popularity of the repositories and make sure they surfaced on top on GitHub search results.
These repositories are ingeniously disguised as legitimate projects, typically related to popular games, cheats, or tools like cryptocurrency price trackers and multiplier prediction for crash-betting games.
These campaigns also dovetail with another attack wave that has targeted novice cybercriminals on the lookout for readily available malware and attack tools on GitHub with backdoored repositories to infect them with information stealers.
In one instance highlighted by Sophos this month, the trojanized Sakura-RAT repository has been found to incorporate malicious code that compromised those who compiled the malware on their systems with information stealers and other remote access trojans (RATs).
The identified repositories act as a conduit for four different kinds of backdoors that are embedded within Visual Studio PreBuild events, Python scripts, screensaver files, and JavaScript to steal data, take screenshots, communicate via Telegram, as well as fetch more payloads, including AsyncRAT, Remcos RAT, and Lumma Stealer.
In all, the cybersecurity company said it detected no less than 133 backdoored repositories as part of the campaign, with 111 containing the PreBuild backdoor, and the others hosting Python, screensaver, and JavaScript backdoors.
Sophos further noted that these activities are likely linked to a distribution-as-a-service (DaaS) operation that has been operational since August 2022, and which has used thousands of GitHub accounts to distribute malware embedded within trojanized repositories themed around gaming cheats, exploits, and attack tools.
While the exact distribution method used in the campaign is unclear, it’s believed that the threat actors are also relying on Discord servers and YouTube channels to spread links to the trojanized repositories.
“It remains unclear if this campaign is directly linked to some or all of the previous campaigns reported on, but the approach does seem to be popular and effective, and is likely to continue in one form or another,” Sophos said. “In the future, it’s possible that the focus may change, and threat actors may target other groups besides inexperienced cybercriminals and gamers who use cheats.”
