- Kaspersky finds 15 malicious GitHub repositories posing as proof-of-concept exploits, some designed with Gen AI
- Victims receive a ZIP with lures and a dropper (rasmanesc.exe) that installs WebRAT backdoor/infostealer
- GitHub removed the repositories, but infected users should manually eradicate WebRAT and beware of packages with typos.
Experts have warned that cybercriminals are now targeting security researchers (and possibly other criminals) through fake malware-laden proof-of-concept exploits hosted in popular repositories.
Cybersecurity researchers Kaspersky said they found 15 malicious repositories hosted on GitHub. These repositories, apparently created with the help of Generative Artificial Intelligence (Gen AI), claimed to provide an exploit for multiple vulnerabilities discovered and reported in the media.
These include a heap-based buffer overflow bug in Windows MSHTML/Internet Explorer, a critical authentication bypass in the OwnID passwordless login plugin for WordPress, and an elevation of privilege flaw in Windows Remote Access Connection Manager.
Backdoor and information thief
Victims who download packages find a password-protected ZIP archive with an empty file, a fake DLL file that serves as a decoy, a batch file, and a malicious dropper called rasmanesc.exe.
This dropper elevates your privileges, disables Windows Defender, and then downloads the WebRAT malware.
WebRAT is primarily a backdoor, but it also works as an information stealer. Security researchers said it can steal login credentials for Steam, Discord, and Telegram accounts, as well as information from any cryptocurrency wallets and browser add-ons the victim may have installed. You can also use the webcam to spy on your victims and take screenshots.
The campaign appears to have started in September 2025, so it has already been active for a few months. However, GitHub has removed all malicious repositories.
Still, victims who have already downloaded the packages will not be safe until they remove any trace of WebRAT from their systems. Additionally, they should be careful when downloading additional packages, as there may be more that have not yet been discovered.
Due to its size and popularity in the software development and cybersecurity community, GitHub is a major target for cybercriminals, who often try to break into people’s devices.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
