Nefarious actors attack from 3k shadow GitHub accounts, spreading malware

A secretive cybercriminal network known as Stargazer Goblin has been exploiting GitHub to disseminate malware and phishing links through approximately 3,000 ghost accounts. Research by cybersecurity firm Check Point revealed that this operation has been active since at least June 2023, utilizing GitHub's community tools to enhance the visibility of malicious code repositories. The network promotes malware disguised as legitimate software for social media, gaming, and cryptocurrency, targeting Windows users seeking free applications. Check Point identified various malware types, including Atlantida Stealer and Lumma Stealer, and noted that the network has generated significant revenue, potentially up to $100,000 since its inception. The operation also involves the sale of repository stars and cloning services through Telegram channels. GitHub has mechanisms in place to detect and disable accounts involved in such activities, but the platform's vast user base complicates these efforts. Cybersecurity experts warn users to be cautious of downloading code from unknown sources, as indicators of malicious repositories include unexpected code changes and hard-coded credentials. The full extent of Stargazer Goblin's operations remains unclear, with indications that it may extend beyond GitHub to other platforms.

- Stargazer Goblin operates around 3,000 ghost accounts on GitHub to spread malware.

- The network promotes malicious software disguised as legitimate tools for various applications.

- Check Point estimates the network has generated up to $100,000 since its inception.

- GitHub employs detection methods to combat such cybercriminal activities but faces challenges due to its large user base.

- Users are advised to be cautious when downloading code from unknown sources.