A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The network manipulates GitHub's tools to promote malicious repositories targeting Windows users.
Read original article
Cybersecurity researchers have identified a network of approximately 3,000 fake accounts on GitHub, dubbed the "Stargazer Goblin," which is being used to spread malware, including ransomware and information stealers. This network has been active since at least June 2023, manipulating GitHub's platform to promote malicious repositories by using its community tools to create the appearance of legitimacy. The operator of this network employs tactics such as "starring," "forking," and "watching" malicious pages to enhance their visibility and credibility. The malicious repositories often claim to offer free software tools related to social media, gaming, and cryptocurrency, primarily targeting Windows users.
The operator charges other hackers for access to these services, which Check Point refers to as "distribution as a service." The network has been linked to various types of malware, including the Atlantida Stealer and Lumma Stealer. Researchers have noted that the network may be larger than initially thought, with instances of legitimate accounts being compromised to host malicious content. GitHub has responded by disabling user accounts that violate its policies against unlawful content. The activity of the ghost accounts appears to be automated, making it challenging for GitHub to detect. Experts warn that inexperienced users may inadvertently download harmful code due to the deceptive nature of these repositories, emphasizing the need for vigilance when using the platform.
Related
Automated Spam Campaign Floods GitHub/NPM with 1000s of Garbage Packages
A spam campaign by Tea[.]xyz floods npm Registry with garbage packages to boost dependents, causing infrastructure slowdowns. Spammers exploit Tea protocol, GitHub workflows, and npm, facing criticism and monitoring.
Nation-State Actors Targeting Software Supply Chain via GitHub [2023)
GitHub warns of Lazarus Group, linked to North Korea, targeting cryptocurrency, gambling, and cybersecurity sectors via social engineering. Group aims to breach software supply chains for financial gain. Panther Labs offers security workshop.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.
A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The operation manipulates GitHub tools, targeting Windows users seeking free software.
4 commentsSource research submission https://news.ycombinator.com/item?id=41060472
Related
Automated Spam Campaign Floods GitHub/NPM with 1000s of Garbage Packages
A spam campaign by Tea[.]xyz floods npm Registry with garbage packages to boost dependents, causing infrastructure slowdowns. Spammers exploit Tea protocol, GitHub workflows, and npm, facing criticism and monitoring.
Nation-State Actors Targeting Software Supply Chain via GitHub [2023)
GitHub warns of Lazarus Group, linked to North Korea, targeting cryptocurrency, gambling, and cybersecurity sectors via social engineering. Group aims to breach software supply chains for financial gain. Panther Labs offers security workshop.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.
A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The operation manipulates GitHub tools, targeting Windows users seeking free software.