Security/ security · malware · github · infostealer

292 Fake GitHub Repos Delivered a Broad-Reach Infostealer

ArcticWolf found hundreds of spoofed repositories pushing a BoryptGrab variant that hits browsers, crypto wallets, and Chrome's App-Bound Encryption.

Hundreds of GitHub repositories disguised as real software spent roughly two weeks quietly draining credentials from anyone who downloaded them.

ArcticWolf discovered 292 fake repos — spotted partly because attackers spoofed ArcticWolf's own products — masquerading as security tools, developer utilities, macOS apps, and games. Each came with a convincing README pointing to a download. That download installed a new variant of the BoryptGrab infostealer, which pulls passwords, cookies, and payment data from 19 browsers; sessions from 32 crypto wallets, Telegram, Discord, and Steam; credentials from Meta's Max and Windows Credential Manager; files from Desktop and Documents folders; and screenshots. The variant's standout trick: it bypasses Chrome's App-Bound Encryption via direct code injection into the browser process, a capability not seen in prior BoryptGrab builds.

The campaign's stolen data routes to command-and-control infrastructure based in Russia — though ArcticWolf stops short of attributing the attack to Russian threat actors specifically, and that distinction matters. The payload scope here is unusually wide: most infostealers focus on browsers and crypto; adding file exfiltration and screenshots in a smash-and-grab package with no persistence mechanism suggests the operators wanted one clean sweep rather than long-term access.

Most of the repos have been pulled, but several dozen reportedly remain active as of this writing — a reminder that GitHub's trust-by-default culture is exactly what makes it a reliable delivery vector for this kind of campaign. Vet the source before you run the binary.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →