- Kaspersky finds 15 malicious GitHub repositories posing as proof‑of‑concept exploits, some crafted with Gen AI
- Victims receive a ZIP with decoys and a dropper (rasmanesc.exe) that installs WebRAT backdoor/infostealer
- GitHub removed the repos, but infected users must manually eradicate WebRAT and remain cautious of typosquatted packages
Cybercriminals are now targeting security researchers (and possibly other criminals) through malware-laden fake proof-of-concept exploits hosted on popular repositories, experts have warned.
Cybersecurity researchers Kaspersky said they found 15 malicious repositories hosted on GitHub. These repositories, apparently crafted with the help of Generative Artificial Intelligence (Gen AI), claimed to provide an exploit for multiple vulnerabilities discovered and reported in the media.
Among them is a heap-based buffer overflow bug in Windows MSHTML/Internet Explorer, a critical authentication bypass in OwnID Passwordless Login plugin for WordPress, and an elevation-of-privilege flaw in Windows’ Remote Access Connection Manager.
Backdoor and infostealer
Victims who download packages find a password-protected ZIP archive with an empty file, a fake DLL file that serves as a decoy, a batch file, and a malicious dropper named rasmanesc.exe.
This dropper elevates its privileges, disables Windows Defender, and then downloads the WebRAT malware.
WebRAT is primarily a backdoor, but it also works as an infostealer. Security researchers said it can steal login credentials for Steam, Discord, and Telegram accounts, as well as information from any cryptocurrency wallets and browser add-ons that the victim might have installed. It can also use the webcam to spy on its victims, and grab screenshots.
The campaign seems to have started in September 2025, so it’s been active for a few months now. However, GitHub has now removed all of the malicious repositories.
Still, victims who already downloaded the packages will not be safe until they remove any traces of WebRAT from their systems. Furthermore, they should be wary about downloading additional packages, since it is possible that there are more out there that have not yet been discovered.
Due to its size and popularity in the software dev/cybersecurity community, GitHub is a major target for cybercriminals, who often try to typosquat their way into people’s devices.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
