Skip to content
feed: live
>_ 0dayNews
supply chain

Arctic Wolf: 292 fake GitHub repos push BoryptGrab stealer

Arctic Wolf tracked 292 fake GitHub repos seeding a BoryptGrab infostealer since June 26 — impersonating security tools, crypto wallets, and dev utilities.

Arctic Wolf: 292 fake GitHub repos push BoryptGrab stealer
Photo: Watty62 / Wikimedia Commons · CC BY-SA 4.0
kilobaud Dave "Kilobaud" Ferris · Published · 2 min read

Arctic Wolf disclosed today that a single operator — assessed with medium confidence as Russian-speaking and financially motivated — has been standing up look-alike GitHub repositories at industrial scale since June 26 to seed an infostealer. Two hundred and ninety-two repositories, by their count. The lures were the usual mix: security tooling, cryptocurrency wallets and services, developer utilities, financial software, macOS tools, secure email clients, and games. Each repo carried a README pointing at a download that was not what its packaging claimed to be.

The impersonation list included Arctic Wolf’s own products, which is how the research started.

The payload is a variant of the BoryptGrab family, delivered through a familiar side-loading pattern — a legitimately signed updater binary carrying a trojanized libcurl.dll next to it — then reflectively loaded in memory. Arctic Wolf notes one new capability worth flagging: this variant bypasses Chrome’s App-Bound Encryption through direct process injection into the browser, which is precisely the class of attack that scheme was designed to make expensive. Chrome’s cookie-jar defenses are again a moving target rather than a solved problem.

Once resident, the stealer reaches for what stealers reach for: credentials from nineteen browsers, thirty-two cryptocurrency wallet brands, Telegram sessions, Discord tokens, Steam credentials, the Windows Credential Manager, and files on the Desktop and Documents folders matching password-adjacent naming patterns. Screenshots and a system inventory round out the take. Nothing about the collection scope is novel; the delivery channel is the point.

GitHub took down “a large portion” of the flagged repositories after Arctic Wolf’s notification, though at report time “several dozen” GitHub Pages redirectors were still live and forwarding to the payload hosts. That gap between takedown of the front door and takedown of the redirectors is the operationally interesting part — a defender clicking through cached search results this week may still land on a working chain.

For anyone tempted to file this under new-news: it is not. Distributing malware from a trusted software portal by dressing it as a legitimate project is what SourceForge got a bad reputation for over a decade ago, what npm has been fighting continuously for the last several years, and what the extension marketplaces of every major browser have taken hits on in 2026 alone — ModHeader was pulled from both the Chrome and Edge stores just yesterday after a dormant collector shipped in an update. The distribution platform changes; the pattern does not.

What to do about it

  • Arctic Wolf has published Yara rules and indicators of compromise; if you run detection tooling, pull them from the writeup.
  • Treat downloads from GitHub repos with no meaningful commit history, no issues, and a README that leads with a download link the same way you would treat one from a freshly-registered domain. That is what they are.
  • If your users reach any of the impersonated categories through internal GitHub redirects or raw.githubusercontent.com links, audit that the targets are the real projects and not squats.

Found this useful? Share it.