Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Thousands of GitHub accounts are being used to spread malware

Image depicting a hand on a scanner.

Criminals have created thousands of accounts on GitHub to form a malware distribution-as-a-service operation and push infostealers to developer devices, experts have warned. 

The project was recently discovered by cybersecurity researchers Check Point, who said all the accounts have distinct roles, making the entire project quite resilient to takedowns.

The researchers call the project Stargazers Ghost Network, apparently built by a threat actor with the alias Stargazer Goblin. 

Successful project

This hacker registered 3,000 GitHub accounts and used them to push “hundreds” of malicious repositories. The accounts are split into three groups - one that serves the phishing template, another one that provides the phishing image, and another one that serves the malware. That way, the entire network is more resilient to GitHub takedowns. Furthermore, all the accounts are used to star, fork, and subscribe to malicious repositories, boosting their legitimacy in the eyes of the average Joe.

"The third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire account, repository, and associated releases," Check Point said in its report. "In response to such actions, Stargazer Goblin updates the first account's phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned."

Since GitHub is a major, trusted platform, many people don’t expect to be served malware that way. As a result, the campaign has been very successful so far, the researchers concluded. 

"The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful," the report reads. "In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable."

The Stargazers Ghost Network is mostly used to deliver infostealers such as RedLine, Lumma, Rhadamanthys, RisePro, and Atlantida.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.