GitHub is hiding malware disguised as games, legitimate software

News
By
published

Threat actors are targeting children with new campaign

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)
  • McAfee researchers find number of malicious GitHub repositories
  • The repositories change every week, but always promise game cracks, hacks, or free access to commercial software
  • But instead of the cracks, the victims get infected with Lumma Stealer

Cybercriminals are using GitHub to target children with infostealing malware, a new McAfee report has claimed, saying it spotted an ongoing malicious campaign on the popular code repository.

In an analysis, the researchers said they observed many repositories pretending to be game hacks, cracks, or free versions of otherwise commercial software. However, instead of providing these programs, the repositories were actually hosting Lumma Stealer, a known infostealer malware.

“McAfee Labs encountered multiple repositories, offering game hacks for top-selling video games such as Apex Legends, Minecraft, Counter Strike 2.0, Roblox, Valorant, Fortnite, Call of Duty, GTA V and or offering cracked versions of popular software and services, such as Spotify Premium, FL Studio, Adobe Express, SketchUp Pro, Xbox Game Pass, and Discord to name a few,” the researchers said.

Disabling the AV

This “network of repositories”, as McAfee described it, changes the description every week, and creates new repositories, since the old ones get flagged and removed by GitHub. The payload, however, always remains the same.

“These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy,” McAfee concluded.

The descriptions also contain instructions on how to download and run the malware, and how to disable any antivirus programs on the computer, before running it. The attackers said that antivirus solutions flag these programs as false-positives, and can safely be ignored.

McAfee says this social engineering technique, combined with the trust GitHub enjoys with its users works well, and that the campaign infected many users. The researchers did not share any numbers, but stressed that the targets are mostly on the younger side:

“Children are frequently targeted by such scams, as malware authors exploit their interest in game hacks by highlighting potential features and benefits, making it easier to infect more systems.”

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
GitHub Webpage
GitHub has a major problem with fake rankings, which could put users at risk of attack
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
Shure MoveMic 88+ lifestyle image
Shure's tiny MoveMic 88+ gives creators a cheap and easy way to record crystal clear audio on a smartphone
An operator fires a saw blade from a weapon
Call of Duty: Black Ops 6 Season 3 gets two-week delay, will now release in April
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
The new Apple iPad (A16)

Even without Apple Intelligence, the new iPad is still one of the best tablets you can buy
See more latest
Most Popular
AI data center
Is Microsoft hesitating on AI? Days after CEO said it would be upping capacity, analyst claims tech giant has actually cancelled data center leases
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
Copilot on a laptop
Microsoft quietly updates Copilot to cut down on unauthorized Windows activations
Shure MoveMic 88+ lifestyle image
Shure's tiny MoveMic 88+ gives creators a cheap and easy way to record crystal clear audio on a smartphone
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
Vado SL 2
Specialized says calling its new Vado SL 2 Alloy an e-bike is still an insult – here's why
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Next-Gen Google TV
Google TV's Gemini Live support and other updates seemingly confirmed by new user survey – here's what to expect
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions