Fake GitHub Repositories Deliver Lua-Based Malware to Developers
Security researchers reported a FakeGit campaign using counterfeit GitHub repositories to trick developers into downloading trojanized tools, with Magento developers among the primary targets. The repositories copied code, commit history, and project structure from legitimate open-source deployment, Docker, and configuration projects so that authentic contributor names appeared alongside the fake repos, increasing credibility. Victims were directed to download ZIP archives that contained a LuaJIT runtime, a batch launcher, and obfuscated Lua payloads that installed Windows malware, including a remote access trojan and keylogger; Sansec also published malicious GitHub accounts, repository names, and SHA1 hashes tied to the operation.
A related lure expanded the campaign beyond Magento by impersonating a security automation project named n8n-CyberSecurity-Workflows, targeting red team, blue team, and AppSec users with GitHub stars, an MIT license, and a README download button. Analysis of the downloaded archive found a Lua-based trojan loader using DLL sideloading through a renamed Lua 5.1 interpreter to execute obfuscated bytecode, with VirusTotal detections labeling the payload as trojan.fakegit/runner. The malware was also observed contacting a Polygon blockchain RPC endpoint, behavior researchers said aligns with crypto-clipper or wallet-drainer activity, indicating the FakeGit operation is using trusted developer platforms to distribute credential theft and broader financially motivated malware.
Timeline
Apr 22, 2026
Analysis links n8n lure to Lua loader using DLL sideloading and blockchain RPC
Researchers reported that the downloaded archive from the fake n8n repository contained a Lua-based trojan loader detected by VirusTotal, with the inner archive flagged by 41 of 67 engines. The execution chain used DLL sideloading through a renamed Lua 5.1 interpreter to run obfuscated bytecode and then contacted a Polygon blockchain RPC endpoint, behavior assessed as consistent with crypto-clipper or wallet-drainer activity.
Apr 22, 2026
Malicious FakeGit repo targets n8n cybersecurity workflow users
A repository named "n8n-CyberSecurity-Workflows" was identified as a malicious lure masquerading as security automation workflows on GitHub. The repo used trust signals such as stars, tags, an MIT license, and a README download button to attract red team, blue team, and AppSec users.
Apr 12, 2026
Hexastrike links 109 fake GitHub repos to SmartLoader and StealC campaign
Researchers reported a large GitHub malware campaign using 109 fake repositories across 103 accounts to impersonate legitimate open-source projects and distribute SmartLoader, which then fetched StealC and other encrypted payloads from attacker-controlled GitHub infrastructure. Hexastrike said the operation had been active for at least seven weeks and was still expanding as of 2026-04-12, with centralized tradecraft including LuaJIT-based loading, Polygon RPC dead-drop resolution, and in-memory payload execution.
Feb 11, 2026
Sansec publishes malicious GitHub accounts, repositories, and SHA1 indicators
Alongside its report, Sansec identified multiple GitHub accounts and repositories involved in the campaign and released SHA1 hashes for shared LuaJIT components and repository-specific payload files. The disclosure provided technical indicators to help defenders detect related compromises.
Feb 11, 2026
Sansec identifies FakeGit GitHub malware campaign targeting Magento developers
Sansec reported a FakeGit campaign using malicious GitHub repositories that impersonated legitimate Magento-related deployment, Docker, and configuration projects. The trojanized downloads delivered Windows malware including a remote access trojan and keylogger via LuaJIT-based loaders.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
GitHub Repository Hijacks Used to Distribute Malware to Developers
Researchers reported active **software supply chain attacks** in which legitimate GitHub accounts and repositories were compromised and then used to distribute malware to developers. In one case, the verified **dev-protocol** GitHub organization was hijacked and repurposed to host polished **Polymarket** trading-bot repositories that secretly pulled typosquatted npm dependencies. Running the project exfiltrated `.env` contents including wallet private keys to attacker-controlled infrastructure, performed host fingerprinting, and modified firewall settings to expose SSH access; victims were advised to rotate wallet and API secrets and inspect `~/.ssh/authorized_keys` for persistence. A separate but related GitHub-focused campaign, dubbed **ForceMemo**, involved takeover of developer accounts and force-pushes to hundreds of Python repositories so that malicious code was appended to files such as `setup.py`, `main.py`, and `app.py` while preserving original commit metadata. Anyone installing directly from those repos could trigger the payload, and the activity affected projects ranging from Django applications to ML and Streamlit code. A report on malicious npm packages posing as a Roblox *Solara* executor was excluded because it describes a different npm ecosystem campaign centered on **Cipher stealer**, not the GitHub account and repository hijacks used in the other incidents.
1 months ago
Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple **software supply chain-style malware distribution** efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, `@openclaw-ai/openclawai`, masquerading as an *OpenClaw* CLI installer; once executed, it uses a `postinstall` hook to reinstall globally and drop an obfuscated first-stage (`setup.js`) that deploys a multi-stage payload internally identified as **GhostLoader** (campaign tracked as **GhostClaw**). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for **AWS/GCP/Azure**), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material. Separately, Trend Micro reported a large-scale distribution operation for the **BoryptGrab** information stealer via **100+ public GitHub repositories** that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (**TunnesshClient**) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
1 months ago
Malware Campaigns Targeting Developers via npm and GitHub Repositories
A new wave of supply chain attacks has targeted developers through malicious npm packages and GitHub repositories, with attackers leveraging both automated worms and sophisticated social engineering. The npm registry was compromised by a self-replicating worm known as "Sha1-Hulud: The Second Coming," which infected over 800 packages and 27,000 GitHub repositories. The malware aimed to steal sensitive data such as API keys, cloud credentials, and authentication tokens, and it backdoored npm packages to execute malicious payloads during installation. Attackers also abused GitHub Actions workflows for command-and-control and data exfiltration, with a notable shift to using the Bun runtime for improved stealth and evasion of Node.js-focused defenses. In a related attack vector, threat actors used fake job interviews to lure developers into cloning and running seemingly benign Next.js projects from private GitHub repositories. The malicious code was hidden in the `next.config.js` file, which executed on the developer's machine during project setup, bypassing traditional dependency-based detection. This "Living off the Land" technique enabled the theft of credentials, including those for LastPass and cryptocurrency wallets, by exploiting trusted development workflows. Both incidents highlight the growing risk of supply chain attacks targeting developers through trusted tools and social engineering tactics.
1 months ago