- ArcticWolf discovered 292 malicious GitHub repositories spoofing legitimate tools and products, delivering a new information-stealing variant of BoryptGrab.
- The malware steals from 19 browsers, 32 crypto wallets, messaging apps, Steam, and Windows Credentials Manager, and uniquely bypasses encryption linked to Chrome apps through code injection.
- Most repositories have been removed, but some remain active; The popularity of GitHub makes it a prime target, underscoring the need to examine code before using it.
Russian actors have reportedly created hundreds of malicious GitHub repositories posing as legitimate software but acting as a dangerous information thief.
Cybersecurity researchers ArcticWolf discovered the campaign after finding their own counterfeit products as part of the attack.
In total, researchers found 292 fake repositories, spoofing items such as security products, development tools, macOS utilities, games, and more. Each repository contained a README file with the download URL.
Obviously malicious
Victims who download the program get a variant of the BoryptGrab information theft family that captures data from 19 browsers (passwords, cookies, payment information), 32 cryptocurrency wallets, Telegram, Discord and Steam sessions, credentials for Meta’s Max, Windows Credential Manager data and more. You can also extract files from the Desktop and Documents, and take screenshots.
While most of the features can be found in other BoryptGrab variants, this one is unique in that it can bypass Chrome app-linked encryption by directly injecting code into the browser process.
While the threat actors have not been specifically said to be Russian, the compressed data is subsequently sent to a command and control (C2) infrastructure based in Russia.
What is also worth mentioning is that malware is not designed to last. It has no anti-analysis layer and doesn’t even try to hide itself in any specific way. It does not establish persistence and simply attempts to capture as much sensitive data as possible on the first attempt.
The attack, which appears to have started in the last days of June, is now almost thwarted, as most of the malicious repositories have been removed from GitHub. Citing “researchers”, beepcomputer However, he reported that several dozen still remain active.
Due to its importance and popularity in the open source community, GitHub is currently one of the most targeted platforms on the Internet, so it is important to verify and examine each piece of code before applying it to a project.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




