[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-292-fake-github-repos-delivered-a-broad-reach-infostealer":10,"sections":40},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":30,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},4728,"292-fake-github-repos-delivered-a-broad-reach-infostealer","292 Fake GitHub Repos Delivered a Broad-Reach Infostealer","ArcticWolf found hundreds of spoofed repositories pushing a BoryptGrab variant that hits browsers, crypto wallets, and Chrome's App-Bound Encryption.","Hundreds of GitHub repositories disguised as real software spent roughly two weeks quietly draining credentials from anyone who downloaded them.\n\nArcticWolf discovered 292 fake repos — spotted partly because attackers spoofed ArcticWolf's own products — masquerading as security tools, developer utilities, macOS apps, and games. Each came with a convincing README pointing to a download. That download installed a new variant of the BoryptGrab infostealer, which pulls passwords, cookies, and payment data from 19 browsers; sessions from 32 crypto wallets, Telegram, Discord, and Steam; credentials from Meta's Max and Windows Credential Manager; files from Desktop and Documents folders; and screenshots. The variant's standout trick: it bypasses Chrome's App-Bound Encryption via direct code injection into the browser process, a capability not seen in prior BoryptGrab builds.\n\nThe campaign's stolen data routes to command-and-control infrastructure based in Russia — though ArcticWolf stops short of attributing the attack to Russian threat actors specifically, and that distinction matters. The payload scope here is unusually wide: most infostealers focus on browsers and crypto; adding file exfiltration and screenshots in a smash-and-grab package with no persistence mechanism suggests the operators wanted one clean sweep rather than long-term access.\n\nMost of the repos have been pulled, but several dozen reportedly remain active as of this writing — a reminder that GitHub's trust-by-default culture is exactly what makes it a reliable delivery vector for this kind of campaign. Vet the source before you run the binary.","[\"security\",\"malware\",\"github\",\"infostealer\"]","2026-07-15T15:05:00.000Z","2026-07-15T16:05:47.553Z","2026-07-15T16:05:50.346Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The article states the malware steals 'sessions from Telegram, Discord, Steam, and Meta's Max' but omits that it also exfiltrates files from Desktop\u002FDocuments, takes screenshots, and pulls from Windows Credential Manager — these are in the source and their omission understates the payload scope; more critically, the article attributes Russian origin to 'Russian-linked attackers' as a direct claim, while the source explicitly says 'it hasn't been specifically said that the threat actors are Russi","resolved","security",[30,32,33,34],"malware","github","infostealer",[36],{"name":37,"url":38},"TechRadar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fhundreds-of-github-repos-found-posing-as-real-software-to-push-malware",0,{"sections":41},[42,47,51,56,61,66,71,76,81,86,91,95,100,105],{"name":43,"slug":44,"count":45,"latest_published_at":46},"AI","ai",2583,"2026-07-15T21:33:20.000Z",{"name":48,"slug":30,"count":49,"latest_published_at":50},"Security",294,"2026-07-15T19:59:48.000Z",{"name":52,"slug":53,"count":54,"latest_published_at":55},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":57,"slug":58,"count":59,"latest_published_at":60},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":62,"slug":63,"count":64,"latest_published_at":65},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":67,"slug":68,"count":69,"latest_published_at":70},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":72,"slug":73,"count":74,"latest_published_at":75},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":92,"slug":93,"count":89,"latest_published_at":94},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":96,"slug":97,"count":98,"latest_published_at":99},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":101,"slug":102,"count":103,"latest_published_at":104},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":106,"slug":107,"count":108,"latest_published_at":109},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]