GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments.
The campaign was first reported by a contributor to the teloxide rust library, who noted on Reddit that they received five different comments in their GitHub issues that pretended to be fixes but were instead pushing malware.
Further review by BleepingComputer found thousands of similar comments posted to a wide range of projects on GitHub, all offering fake fixes to other people's questions.
The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been "changeme" in all the comments we have seen.
Reverse engineer Nicholas Sherlock told BleepingComputer that over 29,000 comments pushing this malware had been posted over a 3-day period.
Source: Andrey Brusnik
Clicking on the link brings visitors to a download page for a file called 'fix.zip,' which contains a few DLL files and an executable named x86_64-w64-ranlib.exe.
Source: BleepingComputer
Running the executable on Any.Run indicates it is the Lumma Stealer information-stealing malware.
Lumma Stealer is an advanced info stealer that, when executed, attempts to steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.
The malware can also steal cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf, as these are likely to contain private crypto keys and passwords.
This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces.
While GitHub Staff has been deleting these comments as they are detected, people have already reported falling for the attack.
Anyone who mistakenly launched the malware should change the passwords at all of their accounts using a unique password for each site and migrate cryptocurrency to a new wallet.
Last month, Check Point Research disclosed a similar campaign by the Stargazer Goblin threat actors, who created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub to push information-stealing malware.
It is unclear if this is the same campaign or a new one conducted by different threat actors.
Comments
oracularhades - 2 months ago
It's worse than that. I had the bot come into one of my issues for a repo I didn't own. I quote replied to the bot saying "Damn, malware authors getting advanced these days" to troll/warn others about the bot. Because I used quote reply and it's markdown, it copied the bot's original message into my comment (but doesn't render it to the user) and so Github banned my account, thinking I was posting a malware link, because it didn't do a basic check if I was quote posting.
People have been dealing with automatted shadowbans and support for weeks, there's a pinned post about getting shadowbanned on Github in /r/github. For me, there's a notice in the support page saying it could take 7 days to get a response, some on reddit are saying it's taken weeks or they've just gotten a generic response.
It's totally disrupted my workflow over such a basic, stupid issue. I can't run any Github actions, including self-hosted actions. My actions randomly stopped working. I thought Github was down (it had been that morning) because I didn't get any UI message or email about my account suspension. 6 hours later, extremely frustrated, I go to the support center to see if there's a way to report an issue, only to see a message saying my account was banned.
I've since had to completely rebuild/move all my infrastructure to Gitlab, which I'm still in the process of doing. This really should remove any credibility Github has as being reliable, this is absolutely absurd.
14547438 - 2 months ago
"It's worse ... I can't run any Github actions ... frustrated ... Github ... is ... absurd."
That just about sums it up for me.
Take a perfectly usable command line tool and screw it up with HTML and browsers.
Sgtkeebler - 2 months ago
This has been an ongoing issue for months now, but Microsoft still claims to be "security experts". How can you be security experts when your website GitHub still has a huge vulnerability for months that they refuse to fix, and they have been hacked by the same APT multiple times.