A threat actor has created close to 300 counterfeit GitHub repositories masquerading as legitimate software, delivering a sophisticated info‑stealer malware. The payload harvests data from 19 browsers, 32 cryptocurrency wallets and numerous messaging apps, highlighting the growing risk of malicious code on developer platforms.
Key Takeaways
- Approximately 300 fake GitHub repos impersonate real software to spread malware.
- The info‑stealer extracts data from 19 browsers, 32 crypto wallets, and many messaging services.
- Russian‑speaking, financially motivated actors exploit trust in free downloads; avoid unofficial GitHub pages.
Cyber‑security firm ArcticWolf uncovered a large‑scale operation in July 2026 that involved 292 counterfeit GitHub repositories posing as legitimate software and security projects. Each repo contained a README with a download link that redirected users to a malicious landing page designed to look trustworthy.
Background and Prior Incidents
GitHub has been abused before for malicious code distribution, from compromised npm packages in 2022 to binary‑based supply‑chain attacks in 2024. This latest wave demonstrates a refined approach: a single templated HTML/JS artifact is reused across dozens of impersonated brands, allowing the attackers to scale quickly while maintaining a veneer of authenticity.
Campaign Mechanics
The landing pages feature a “Download Secure Content” button and spoofed trust badges. Client‑side script parses the URL into two segments – the first segment (user_code) tracks the referring repository, while the second segment (referrer domain) indicates the brand being spoofed. The visible branding is generated by converting hyphens to spaces and applying title case, giving each page a distinct but familiar look.
Malware Delivery Chain
Visitors receive a large ZIP archive whose name and payload rotate roughly every minute. Inside, a trojanized libcurl.dll and a legitimately signed WinGUP updater (renamed per the impersonated product) are bundled. When the user executes gup.exe, it side‑loads libcurl.dll, which decodes and reflectively runs an embedded info‑stealer entirely in memory.
Data Theft Scope
The stealer is a variant of the BoryptGrab family and targets:
- Passwords, cookies, and payment data from 19 web browsers.
- Private keys of 32 cryptocurrency wallet brands.
- Session tokens from Telegram, Discord, Steam, and Meta’s Max messaging app.
- Windows Credential Manager entries, desktop and document files that may contain passwords or recovery phrases.
- Screenshots, system details, and installed‑software inventories.
Notably, this variant can bypass Chrome’s App‑Bound Encryption via direct code injection into the browser process—an undocumented capability that significantly raises the threat level. All harvested data is compressed and exfiltrated to a Russia‑based command‑and‑control (C2) server.
Impact and Mitigation
The malware does not establish persistence; it aims to collect as much data as possible in a single run. Consequently, there is no anti‑analysis layer, and the temporary directory used during exfiltration is left intact, providing forensic evidence for investigators. By the time of ArcticWolf’s report, GitHub had removed most malicious repositories, though dozens of GitHub Pages redirectors remained active.
Researchers could not attribute the campaign to a specific group, but linguistic and financial clues suggest a Russian‑speaking, profit‑driven actor. Users are urged to scrutinize any “free download” of premium tools and verify the authenticity of unofficial GitHub pages before executing any binaries.
ArcticWolf released a YARA rule and a set of IoCs to aid security teams in detecting this campaign early, emphasizing the need for continuous monitoring of developer ecosystems.