Cybersecurity experts have recently discovered a new campaign where threat actors have published over 67 GitHub repositories that claim to offer Python-based hacking tools but actually deliver trojanized payloads.

This activity, codenamed Banana Squad by ReversingLabs, is believed to be a continuation of a rogue Python campaign identified in 2023, which targeted the Python Package Index (PyPI) repository with fake packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems.

Previous findings from the SANS’s Internet Storm Center in November 2024 revealed a supposed “steam-account-checker” tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that could inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server (“dieserbenni[.]ru”).

Further analysis of the repository and the attacker-controlled infrastructure led to the discovery of 67 trojanized GitHub repositories that impersonate benign repositories with the same name.

It is believed that users searching for software such as account cleaning tools and game cheats, including Discord account cleaner, Fortnite External Cheat, TikTok username checker, and PayPal bulk account checker, are the targets of this campaign. All identified repositories have been taken down by GitHub.

According to ReversingLabs researcher Robert Simmons, “Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector. For developers relying on these open-source platforms, it’s essential to always double-check that the repository you’re using actually contains what you expect.”

GitHub as a Malware Distribution Service

GitHub is increasingly becoming the focus of several campaigns as a malware distribution vector. Earlier this week, Trend Micro reported that it uncovered 76 malicious GitHub repositories operated by a threat actor known as Water Curse to deliver multi-stage malware.

These payloads are designed to siphon credentials, browser data, and session tokens, as well as provide the threat actors with persistent remote access to the compromised systems.

Check Point exposed another campaign that uses a criminal service known as the Stargazers Ghost Network to target Minecraft users with Java-based malware. The Stargazers Ghost Network refers to a collection of GitHub accounts that propagate malware or malicious links via phishing repositories.

According to Check Point, “The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.”

The cybersecurity company also assessed that such “GitHub ‘Ghost’ accounts are only one part of the grand picture, with other ‘Ghost’ accounts operating on different platforms as an integral part of an even larger Distribution-as-a-Service universe.”

Some aspects of the Stargazers Ghost Network were exposed by Checkmarx in April 2024, which highlighted the threat actor’s pattern of using fake stars and pushing out frequent updates to artificially inflate the popularity of the repositories and make them surface on top of GitHub search results.

These repositories are ingeniously disguised as legitimate projects, typically related to popular games, cheats, or tools like cryptocurrency price trackers and multiplier prediction for crash-betting games.