CyberSecurity news

FlagThis - #GitHub

Amar Ćemanović@CyberInsider //

Malvertising Campaign Leads to Info Stealers on GitHub - Microsoft warns of a malvertising campaign infecting over 1 million devices via illegal streaming websites, redirecting users to GitHub to steal sensitive information.
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites.

Recommended read:
References :
  • The Hacker News: Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide
  • Microsoft Security Blog: Malvertising campaign leads to info stealers hosted on GitHub
  • CyberInsider: Microsoft has uncovered a large-scale malvertising campaign that compromised nearly one million devices worldwide, distributing information-stealing malware via GitHub. The attack, detected in early December 2024, originated from illegal streaming websites that redirected users through multiple malicious domains before delivering payloads hosted on GitHub, Dropbox, and Discord.
  • Hidden Dragon ??: Nearly 1 million Windows devices were targeted in recent months by a sophisticated "malvertising" campaign that surreptitiously stole login credentials, cryptocurrency, and other sensitive information from infected machines.
  • hackread.com: Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox
  • www.techradar.com: Microsoft reveals over a million PCs hit by malvertising campaign
  • www.bleepingcomputer.com: Microsoft says malvertising campaign impacted 1 million PCs
  • Tech Monitor: Microsoft neutralises malvertising scheme that affected one million devices
  • Cyber Security News: Microsoft Warns That 1 Million Devices Are Infected by Malware from GitHub
  • gbhackers.com: 1 Million Devices Infected by Malware from GitHub
  • The Register - Security: Microsoft admits GitHub hosted malware that infected almost a million devices
  • securityonline.info: Microsoft Uncovers Massive Malvertising Campaign Distributing Info Stealers via GitHub
  • Virus Bulletin: Microsoft researchers detail their investigation of a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information.
  • www.itpro.com: Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
  • Security Risk Advisors: Malvertising Campaign Targets One Million Devices with Info Stealers Hosted on GitHub
  • Digital Information World: Microsoft Discovers Massive Malvertising Campaign Infecting Over 1 Million Devices
  • securityaffairs.com: Microsoft Threat Intelligence Center (MSTIC) observed a massive malvertising campaign leveraging GitHub to deliver malware.
  • www.csoonline.com: Almost 1 million business and home PCs compromised after users visited illegal streaming sites: Microsoft
  • The DefendOps Diaries: 🚩 Malvertising Campaign Targets One Million Devices with Info Stealers Hosted on GitHub
Pierluigi Paganini@Security Affairs //

GitVenom Campaign Exploits Thousands of GitHub Repositories - GitVenom, a sophisticated cyber threat campaign, leverages GitHub to spread malicious code through fake repositories, stealing cryptocurrency and credentials by mimicking real projects and deploying malicious payloads.
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.

The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.

Recommended read:
References :
  • Cyber Security News: GitVenom Campaign Exploits Thousands of GitHub Repositories to Spread Infections
  • gbhackers.com: The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
  • Talkback Resources: Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials through fraudulent repositories, resulting in the attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
  • Talkback Resources: Open-source code has a significant impact on software development, but developers should be cautious of the GitVenom campaign involving threat actors creating fake projects on GitHub to distribute malicious code and steal sensitive information.
  • The Hacker News: GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets
  • securityaffairs.com: GitVenom campaign targets gamers and crypto investors by posing as fake GitHub projects
  • The Register - Security: Reports that more than 200 GitHub repos are hosting fake projects laced with malicious software.
  • BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
  • Talkback Resources: Malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
  • Help Net Security: Hundreds of GitHub repos served up malware for years
  • bsky.app: Bluesky post about the malware campaign GitVenom.
  • BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers.
  • aboutdfir.com: GitVenom attacks abuse hundreds of GitHub repos to steal crypto
  • bsky.app: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
Pierluigi Paganini@securityaffairs.com //

Git Credential Exposure Vulnerabilities - Multiple vulnerabilities in Git's credential retrieval protocol allow attackers to access user credentials through improper handling of messages, affecting tools like GitHub Desktop and Git Credential Manager.
Multiple vulnerabilities have been discovered in Git and its related tools, posing a risk to user credentials. These flaws stem from the improper handling of message delimiters within the Git Credential Protocol, impacting tools such as GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces. This improper handling allows malicious actors to craft URLs with injected carriage return or newline characters, leading to credential leaks. Specifically, vulnerabilities like CVE-2025-23040 in GitHub Desktop allowed for 'carriage return smuggling' through crafted submodule URLs.

These vulnerabilities arise from differences between Git's strict protocol handling and the implementation of related projects. Git Credential Manager is vulnerable due to the StreamReader class, misinterpreting line-endings, while Git LFS is vulnerable by not checking for embedded control characters, allowing for the injection of carriage return line feeds via crafted HTTP URLs. A new configuration setting, `credential.protectProtocol`, has been introduced to help mitigate these vulnerabilities by providing a defense-in-depth approach.

Recommended read:
References :
  • Cyber Security News: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
  • securityaffairs.com: Multiple Git flaws led to credentials compromise
  • The Hacker News: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
  • cyberpress.org: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
  • ciso2ciso.com: Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
  • ciso2ciso.com: Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials. “Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper,â€� GMO Flatt Security […] La entrada se publicó primero en .
  • ciso2ciso.com: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs – Source:thehackernews.com
  • discuss.privacyguides.net: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
  • Pyrzout :vm:: Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
  • Dataconomy: Clone2Leak exposes credential risks in Git ecosystem
  • BleepingComputer: A set of three distinct but related attacks, dubbed 'Clone2Leak,' can leak credentials by exploiting how Git and its credential helpers handle authentication requests.
  • www.bleepingcomputer.com: News about Clone2Leak vulnerabilities in the Git ecosystem.
CISO2CISO Editor 2@ciso2ciso.com //

Lumma Stealer Distributed through GitHub Infrastructure - A sophisticated malware campaign distributes Lumma Stealer and other malware through GitHub, exploiting its release infrastructure.
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.

Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat.

Recommended read:
References :
  • ciso2ciso.com: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • SOC Prime Blog: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • Virus Bulletin: Trend Micro researchers dissect the tactics, techniques and procedures (TTPs) employed by a campaign distributing Lumma Stealer through GitHub.
  • ciso2ciso.com: Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware – Source: socprime.com
  • www.trendmicro.com: Trend Micro : Trend Micro reports on a campaign distributing Lumma stealer through GitHub.
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

Blogs

Research Tools