Hundreds of GitHub repositories disguised as real software spent roughly two weeks quietly draining credentials from anyone who downloaded them.
ArcticWolf discovered 292 fake repos — spotted partly because attackers spoofed ArcticWolf's own products — masquerading as security tools, developer utilities, macOS apps, and games. Each came with a convincing README pointing to a download. That download installed a new variant of the BoryptGrab infostealer, which pulls passwords, cookies, and payment data from 19 browsers; sessions from 32 crypto wallets, Telegram, Discord, and Steam; credentials from Meta's Max and Windows Credential Manager; files from Desktop and Documents folders; and screenshots. The variant's standout trick: it bypasses Chrome's App-Bound Encryption via direct code injection into the browser process, a capability not seen in prior BoryptGrab builds.
The campaign's stolen data routes to command-and-control infrastructure based in Russia — though ArcticWolf stops short of attributing the attack to Russian threat actors specifically, and that distinction matters. The payload scope here is unusually wide: most infostealers focus on browsers and crypto; adding file exfiltration and screenshots in a smash-and-grab package with no persistence mechanism suggests the operators wanted one clean sweep rather than long-term access.
Most of the repos have been pulled, but several dozen reportedly remain active as of this writing — a reminder that GitHub's trust-by-default culture is exactly what makes it a reliable delivery vector for this kind of campaign. Vet the source before you run the binary.