GitHub and the ghost accounts that spread malware

  • Thousands of ghost accounts on GitHub are distributing malware through malicious repositories.
  • The Stargazer Goblin group has generated over $100.000 from this distribution network.
  • Cybercriminals use job scams and advanced techniques to avoid detection.
  • It is essential to verify repositories and avoid downloading unknown code without reviewing it.
Joaquin Romero

5 minutes

Learn about ghost accounts on GitHub

GitHub, the leading platform for code hosting and developer collaboration, is being used by cybercriminal groups to massively spread malware through phantom accounts. Recent investigations have revealed that thousands of phantom accounts operate on the platform to distribute malicious software, deceiving users through seemingly legitimate repositories.

The group behind this operation, called Stargazer Goblin, has developed a sophisticated malware distribution network by exploiting the trust developers place in GitHub. This system has allowed attackers to generate considerable revenue through a well-structured strategy that makes detection and removal difficult.

How ghost accounts work on GitHub

The main problem lies in the existence of fake accounts on GitHub whose sole purpose is to distribute malware by exploiting system features, such as the ability to fork repositories and award stars. These accounts perform various functions within the cybercriminal network:

Comparison between Qodo GitHub Copilot and Codeium
Related article:
Comparison between Codeium, GitHub Copilot and Qodo
  • Phishing repositories: They are created with eye-catching descriptions to lure users into downloading malicious files.
  • Accounts that award stars: increase the visibility and credibility of malicious repositories.
  • Malicious links in README.md files: lead to the download of compromised software that appears legitimate.
  • Automation of activities: Attackers use bots to fork and track infected repositories.

This strategy allows malware to be distributed effectively without raising immediate suspicion.

This is how ghost accounts operate on GitHub

Malware variants spread through GitHub

Researchers have identified multiple malware families that have been distributed through this network of ghost accounts, including:

  • Atlantida Stealer: steals user credentials and cryptocurrency data.
  • Rhadamanthys: designed to steal banking information.
  • Lumma Stealer: specialized in obtaining private data.
  • RedLine: one of the most widely used information-stealing Trojans.

Malicious accounts also use repositories to host compressed files password protected, making it difficult for cybersecurity solutions to detect them.

How cybercriminals avoid detection with ghost accounts on Github

To keep the malware network active despite GitHub's efforts to remove fraudulent accounts, attackers employ several tactics:

  • Quick link redirection: When GitHub removes a malicious repository, criminals update the links in their other repositories to maintain distribution.
  • Using multiple accounts: Each fake account has a specific function within the network, such as validating repositories or posting compromised links.
  • Distribution through social networks and forums: Campaigns have been detected on Discord and other channels where links to these malicious repositories are shared.

Recent cases and growing threat

According to Check Point Research, in January 2024 alone, the Stargazers Ghost network infected more than 1.300 users with malware in just four days. In addition, GitHub-related scams have been active since at least 2022, with a sustained growth in recent years.

The group has generated more than $100.000 thanks to the sale of access to its network of ghost accounts and the offering of services such as star manipulation and repository forks.

The GitHub Fake Job Offer Scam

Another method used by cybercriminals to infect computers is to deceive developers through fake job offersIn these scams, attackers contact programmers and ask them to download a private repository as part of a technical test. However, the code contains malware that compromises the victims' devices.

Microsoft
Related article:
Microsoft has purchased GitHub, deal to be announced today

Victims, believing they are accessing a legitimate job opportunity, unknowingly execute malicious software that steals your credentials or even allows remote access to your computers.

Recommendations to stay protected

Given the proliferation of these threats, it is essential that GitHub developers and users take security measures:

  • Verify the authenticity of the repositories: check the creator's reputation and previous activity on GitHub.
  • Avoid downloading files from unknown sources: especially if they are encrypted or password protected.
  • Do not run code without reviewing it first: When in doubt, run in an isolated environment such as a virtual machine.
  • Pay attention to job offers that are too attractive: Avoid downloading code from private repositories without additional verification. Be wary of suspicious job offers.
Related article:
GitHub: How to find and install Firefox plugins from there

Platforms like GitHub have proven to be fundamental tools for software development, but they can also become attack vectors if appropriate precautions are not taken. The sophistication of the tactics employed by cybercriminals demonstrates the importance of cybersecurity in collaborative development environments. Share this news so more users will know about the danger..


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.