Malicious GitHub repositories target users with malware
Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software


McAfee has uncovered new malware that's being used to target GitHub users with infostealing malware.
The security firm said it found several GitHub repositories offering video game hacks, cracked software, and free crypto tools that were not what they seemed.
They included game hacks for top-selling video games such as Apex Legends, Minecraft, Counter Strike 2.0, Roblox, Valorant, Fortnite, Call of Duty and GTA V, as well as cracked versions of popular software and services, such as Spotify Premium, FL Studio, Adobe Express, SketchUp Pro, Xbox Game Pass, and Discord.
"These attack chains begin when users would search for Game Hacks, cracked software or tools related to Cryptocurrency on the internet, where they would eventually come across GitHub repositories or YouTube Videos leading to such GitHub repositories, offering such software," said the team.
"We noticed a network of such repositories where the description of software keeps on changing, but the payload remains the same: a Lumma Stealer variant. Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub."
The repositories even include distribution licenses and software screenshots to help make them appear legitimate.
There are claims that the package comes with an advanced Anti-Ban system, so their account won’t be suspended, and that the software has a popular community - indicating that it must be safe to use and that, by not using the software, they are missing out.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The repositories also contain instructions on how to download and run the malware. And, in some cases, they ask the user to disable Windows Defender and any anti-virus software first, claiming that because the software is related to game hacks, or by-passing software authentication or crypto-currency mining, anti-virus packages would detect and delete it.
"This social engineering technique, combined with the trustworthiness of GitHub works well in the favor of malware authors, enabling them to infect more users," the researchers said.
"Children are frequently targeted by such scams, as malware authors exploit their interest in game hacks by highlighting potential features and benefits, making it easier to infect more systems."
RELATED WHITEPAPER
GitHub is often exploited for malware distribution, thanks to its easy accessibility, trustworthiness, and developer-friendly features. However, attackers can easily create free accounts and host repositories that appear legitimate, leveraging GitHub’s reputation to deceive users.
"The GitHub repository infection chain demonstrates how cybercriminals exploit accessibility and trustworthiness of popular websites such as GitHub, to distribute malware like Lumma Stealer," the researchers said.
"By leveraging the user’s desire to use game hacks, to be better at a certain video game or obtain licensed software for free, they trick users into infecting themselves."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Organizations urged to act fast after GitHub Action supply chain attack
News More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
By Emma Woollacott Published
-
Nearly a million devices were infected in a huge GitHub malvertising campaign
News Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
By Solomon Klappholz Published
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malware
News Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
By Solomon Klappholz Published
-
A leaked GitHub access token could have led to a catastrophic supply chain attack
News The GitHub access token with administrator level privileges could have been used to great effect by threat actors
By Solomon Klappholz Published
-
Hackers have found yet another way to trick devs into downloading malware from GitHub
News Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
By Solomon Klappholz Published
-
Hackers are abusing GitHub's search function to spread malware
News Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
By Solomon Klappholz Published
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositories
News New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
By Solomon Klappholz Published
-
Hackers are spoofing themselves as GitHub's Dependabot to steal user passwords
News GitHub Dependabot was crudely spoofed in hundreds of successful attacks on open source projects
By Connor Jones Published