Over 60 GitHub Repositories Leveraged to Host Malicious Payloads for Stealing Sensitive Data on Windows Systems

Security researchers have uncovered a sophisticated global supply chain attack, where threat actors utilized over 60 GitHub repositories to host trojanized versions of popular Python-based hacking tools.

The campaign, attributed to the group known as “Banana Squad,” specifically targeted Windows systems with the end goal of stealing sensitive data, including system credentials, browser storage, application data, and even cryptocurrency wallet information.

According to recent findings from ReversingLabs, the attackers uploaded malicious payloads disguised as legitimate software utilities.

Threat actors frequently mimicked real repository names, and in some instances, the only differentiating factor between the legitimate and malicious versions was subtle, sometimes involving a single file or a cleverly hidden line of code.

The group’s initial activities were first identified by Checkmarx in October 2023, with the first sightings dating back to April of the same year, when hundreds of malicious packages were seeded across various platforms.

By the time the campaign was identified, these malicious packages had already garnered nearly 75,000 downloads before being taken down.

Technical Details and Evasion Tactics

The operation revealed several advanced evasion techniques. Notably, attackers abused GitHub’s UI by inserting long lines of code padded with spaces, pushing malicious code off the visible screen and making it difficult for users to detect visually.

This tactic, combined with look-alike repository names and dynamically generated strings at the end of files, confused both users and automated security checks.

Upon closer inspection, researchers found that most malicious repositories were hosted under accounts with only one project, suggesting that these accounts were created solely for malicious purposes.

Further forensic analysis of a sample from the “degenerationred” repository (one of the 67 identified), highlighted the following commonalities:

• Single-repository user accounts: Almost all malicious repos had only one project.
• Duplicated names: Trojanized repositories used the same names as popular, legitimate projects.
• Dynamically generated text: The “About” section of these repositories contained search terms relevant to the legitimate tool, included emojis (such as flame or rocket ship), and featured a unique dynamically generated string.
• Hidden malicious code: The truly malicious code was often pushed off-screen using hundreds of spaces, requiring security researchers to view the file in “Hex” mode or use specialized tools to identify the backdoor.

Encryption and Propagation Methods

The Python-based payloads employed a mix of encoding and encryption techniques, including Base64, Hex, and Fernet encryption (utilizing the cryptography library), to obfuscate the URLs of the next-stage payloads.

Security teams extracted these URLs using a custom CyberChef recipe, which parsed and decoded the hidden commands step-by-step.

The campaign utilized domains such as dieserbenni[.]ru and 1312services[.]ru for command and control, embedding the repository name into the URL as a query parameter.

Impact and Mitigation

While all 67 malicious repositories have been taken down, the sheer scale and stealth of the operation suggest numerous victims were compromised.

Security experts recommend that developers rigorously compare downloaded repositories with previous known-good versions and utilize specialized differential analysis tools, such as Spectra Assure, to identify suspicious changes.

For security teams, monitoring for the listed domain and file indicators is critical to detecting and mitigating future instances of these threats.

The incident highlights the importance of vigilance in the open-source supply chain, where attackers are increasingly blending in with legitimate code to exploit unsuspecting developers.