A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The operation manipulates GitHub tools, targeting Windows users seeking free software.
Read original article
Cybersecurity researchers have identified a network of approximately 3,000 fake accounts on GitHub, dubbed the "Stargazer Goblin," which is being used to spread malware, including ransomware and information stealers. This network has been active since at least June 2023, manipulating GitHub's community tools to promote malicious repositories that appear legitimate. The operator of this network employs tactics such as "starring," "forking," and "watching" these repositories to enhance their credibility. The malicious content often masquerades as tools for social media, gaming, and cryptocurrency, primarily targeting Windows users searching for free software.
The operator charges other hackers for access to these services, which Check Point refers to as "distribution as a service." The network has been linked to various types of malware, including the Atlantida Stealer and Lumma Stealer. Researchers have noted that some legitimate GitHub accounts have been compromised to facilitate this operation. GitHub has responded by disabling accounts that violate its policies against unlawful content. The scale of the network may be larger than currently understood, as automated actions by the fake accounts make detection challenging. Experts warn that inexperienced users are particularly vulnerable to downloading malicious code, often influenced by fictitious reviews and stars. The research highlights ongoing concerns about the security of open-source platforms and the tactics employed by cybercriminals to exploit them.
Related
Reputation Farming Using Closed GitHub Issues
Reputation farming on GitHub involves manipulating closed issues and pull requests to falsely boost accounts' reputation. Maintainers are urged to monitor activity, report suspicious behavior, and automate checks to prevent this deceptive practice.
Automated Spam Campaign Floods GitHub/NPM with 1000s of Garbage Packages
A spam campaign by Tea[.]xyz floods npm Registry with garbage packages to boost dependents, causing infrastructure slowdowns. Spammers exploit Tea protocol, GitHub workflows, and npm, facing criticism and monitoring.
Nation-State Actors Targeting Software Supply Chain via GitHub [2023)
GitHub warns of Lazarus Group, linked to North Korea, targeting cryptocurrency, gambling, and cybersecurity sectors via social engineering. Group aims to breach software supply chains for financial gain. Panther Labs offers security workshop.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.
1 commentsWhy are they "ghost" accounts? Is that a moniker assigned to them, or is the author confusing "ghost" (i.e., a deleted user) with the actual user's name?
Related
Reputation Farming Using Closed GitHub Issues
Reputation farming on GitHub involves manipulating closed issues and pull requests to falsely boost accounts' reputation. Maintainers are urged to monitor activity, report suspicious behavior, and automate checks to prevent this deceptive practice.
Automated Spam Campaign Floods GitHub/NPM with 1000s of Garbage Packages
A spam campaign by Tea[.]xyz floods npm Registry with garbage packages to boost dependents, causing infrastructure slowdowns. Spammers exploit Tea protocol, GitHub workflows, and npm, facing criticism and monitoring.
Nation-State Actors Targeting Software Supply Chain via GitHub [2023)
GitHub warns of Lazarus Group, linked to North Korea, targeting cryptocurrency, gambling, and cybersecurity sectors via social engineering. Group aims to breach software supply chains for financial gain. Panther Labs offers security workshop.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.