Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular **Minecraft cheat mods**, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

**Malware Hidden Inside Mods**

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s **blog post**, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and **crypto wallets.** It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

****Russian-Speaking Attacker Suspected****

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was **previously seen in July 2024** distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Malicious GitHub repositories (Image via CPR)

****Why Minecraft Was the Perfect Target****

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as **the most malware-infected game** after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

****What Players Should Do****

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

*   Stick to mods from well-known and verified platforms.
*   Make sure your antivirus and security updates are current.
*   Avoid any mod claiming to offer hacks, cheats or automation.
*   Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.

Fake Minecraft Mods on GitHub Found Stealing Player Data

Zyxel users beware: A critical remote code execution flaw (CVE-2023-28771) in Zyxel devices is under active exploitation by a Mirai-like botnet. GreyNoise observed a surge on June 16, targeting devices globally.

A serious security vulnerability, tracked as CVE-2023-28771, is affecting Zyxel networking devices. Security researchers at GreyNoise noticed a sudden sharp rise, and a concentrated effort by attackers to exploit this flaw on June 16th.

The vulnerability allows for remote code execution, which means attackers can run their own programs on vulnerable devices from a distance. This particular weakness is found in how Zyxel devices handle specific internet messages, called Internet Key Exchange (IKE) packets coming through the UDP port 500.

****The Sudden Surge and Its Reach****

While attacks targeting this Zyxel flaw had been minimal, June 16th brought a significant spike in activity. GreyNoise recorded 244 different internet addresses trying to exploit the issue within a single day.

Source: GreyNoise

These attacks are aimed at devices in various countries, with the following being the most targeted:

*   India
*   Spain
*   Germany
*   United States
*   United Kingdom

Interestingly, a review of these 244 attacking addresses showed they had not been involved in any other suspicious network activity in the two weeks leading up to this sudden burst.

****Tracing the Source****

An investigation into the attacking internet addresses revealed they were all registered under Verizon Business infrastructure and appeared to originate from the United States. However, because the attacks use UDP port 500, which allows for spoofing (faking the sender’s address), the true source might be hidden, noted GreyNoise researchers in their blog post shared with Hackread.com.

Further analysis by GreyNoise, supported by checks from VirusTotal, found signs that these attacks might be linked to variants of the Mirai botnet, a type of malicious software that takes over devices.

In response to these active threats, security experts are urging immediate action. It is advised to block all 244 identified malicious IP addresses and to check if any internet-connected Zyxel devices have the necessary security patches for CVE-2023-28771.

Device owners should also watch for any unusual activity after an exploit attempt, as this could lead to further compromise or the device being added to a botnet. Finally, it’s recommended to limit any unnecessary exposure of IKE/UDP port 500 by applying network filters.

It’s important to note that Zyxel devices have faced security challenges in the past. For instance, Hackread.com reported in June 2024, about Zyxel NAS devices being targeted by a Mirai-like botnet exploiting a different recent vulnerability (CVE-2024-29973), highlighting a recurring pattern of issues for the company’s products.

“This was added to the CISA Known Exploited vulnerabilities list on May 31, 2023, requiring agencies to have it resolved before June 21 that same year. The activity observed appears to be the Mirai botnet activity,” said Martin Jartelius, CISO at cybersecurity company Outpost24.

“As the vulnerability has been extensively targeted before, for someone to fall victim now, they would have had to obtain a vulnerable device, deploy it without updates, and expose it to the internet, even though it’s in a known vulnerable state,” explained Martin.

“One would almost say that the chain of incompetence needed to be victimized at this point is borderline impressive, but of course, it can happen. This, however, is not the vulnerability we should all wake up and worry about today. In fact, if you were worried about it, you would have fixed it years ago.”

Zyxel Devices Hit by Active Exploits Targeting CVE-2023-28771 Vulnerability

Scammers used Inferno Drainer to steal $43,000 in crypto from 110 CoinMarketCap users through a fake wallet prompt embedded in the site’s front-end.

A coordinated crypto theft operation targeting CoinMarketCap users has been exposed after leaked images surfaced from a Telegram channel known as TheCommsLeaks. The attack used a convincing wallet connection prompt embedded in CoinMarketCap’s own interface, tricking users into handing over access to their wallets. The result? more than $43,000 worth of crypto funds drained in hours.

According to Tammy H, a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare.io, a Canada-based cybercrime intelligence firm, the attack was carried out using Inferno Drainer, a known wallet-draining toolkit that’s been linked to previous campaigns.

****A Pop-Up with a Price****

The method was simple but effective. Users visiting CoinMarketCap were presented with a prompt asking them to “Verify Your Wallet” to access features. It looked identical to legitimate pop-ups seen on the platform, giving users no reason to doubt it. However, once connected, wallets were quietly emptied of whatever assets they held.

Video credit: apoorv.eth on X (Twitter)

A source cited in the leak claimed the prompt appeared across nearly every page on the site. “Make it where it appears on every page,” read one message. “Most people have coins pinned… the second they render the site.”

The attacker seemed focused on increasing visibility and maximizing wallet connections. Some reports suggest that even the connect button began malfunctioning due to being rendered too many times.

****Inside the Leak****

As per Tommy H’s analysis, the Telegram channel TheCommsLeaks began sharing details around 7:30 PM local time on June 20. The messages included screenshots showing a live dashboard used by the attacker. These visuals displayed wallet connections, token transfers and total values drained in real time.

Early numbers showed 67 successful hits and over 1,300 wallet connections. The payout was already past $21,000 within the first wave. By the time the campaign ended, the final haul had climbed to $43,266, drained from 110 victims.

Tokens siphoned off included SOL, XRP, EVT, and smaller coins like PENGU and SHDW. One transaction involving $1,769 in XRP was linked to a wallet visible on BscScan, offering public confirmation of the theft.

However, the researcher noted that not every attempt succeeded. Logs from the attacker’s toolkit also showed multiple failed drains, typically due to wallets holding unsupported tokens or negligible balances.

Attackers on Telegram

****What Happened on CoinMarketCap?****

After growing speculation over whether the attack came from a spoofed domain, CoinMarketCap addressed the issue directly. In a statement published on X, the company said a doodle image displayed on their homepage had triggered malicious code through an embedded API call. This vulnerability caused the unauthorized wallet prompt to appear for some users.

The company confirmed that its security team responded immediately after detecting the issue. The malicious content was removed, and internal systems were patched to prevent further abuse.

“All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the company stated, adding that it continues to monitor the situation and provide support.

This incident goes on to show how small interface changes, even those involving something as harmless as a homepage doodle, can be leveraged for large-scale damage. While the use of a legitimate platform’s own environment to deploy malicious prompts is extremely concerning, it reflects how easily trust in familiar interfaces can be misused.

In a separate incident reported by Hackread just last week, scammers exploited search ads to trick users into calling fake support numbers shown on real websites like Apple and PayPal. Though technically unrelated, both cases show how attackers rely on user assumptions about what’s safe to interact with online.

For now, users are advised to avoid connecting wallets directly through pop-ups and verify any prompt against the platform’s official guidance. If something looks familiar, that doesn’t always mean it’s safe.

Scammers Use Inferno Drainer to Steal $43K from CoinMarketCap Users

A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences.

A new joint report released today by FS-ISAC, a non-profit organization focused on financial cybersecurity, and Akamai Technologies, a leading cybersecurity and cloud company, reveals a worrying trend: Distributed Denial-of-Service attacks (DDoS attacks) are increasingly targeting the global financial sector.

These attacks aim to overwhelm online services, disrupting customer access and business operations, ultimately eroding trust and impacting profits. The report, shared with Hackread.com, emphasises the growing sophistication and strategic nature of these cyber threats.

****Evolving Attack Strategies and Key Findings****

According to the report, the financial services sector was the primary target for large-scale DDoS attacks in 2024, which involved flooding a system with massive amounts of traffic, with a notable surge in October 2024. Attacks specifically targeting the application layer of financial services grew by 23% between 2023 and 2024.

The report also notes a rise in more precise attacks against financial firms’ Application Programming Interfaces (APIs) with a 58% rise observed between 2023-24 which allow different software to communicate, and their customer-facing websites.

These targeted assaults are harder to spot because they mimic normal user behaviour, indicating a higher level of skill among cybercriminals. In 2024, a single attack campaign targeting multiple banks resulted in service disruptions that lasted for several days, illustrating the severe impact these incidents can have.

Teresa Walsh, FS-ISAC’s Chief Intelligence Officer, commented on this shift, stating, “DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain.”

The use of DDoS-for-Hire services, where attackers can pay others to launch attacks, is also common. Geopolitical events, such as the Hamas-Israel and Russia-Ukraine conflicts, have also fuelled an increase in hacktivism, where cyberattacks are carried out for political reasons.

On the other hand, the Asia Pacific region experienced a sharp rise in these large-scale attacks, accounting for 38% of all volumetric DDoS attacks in 2024, a significant jump from 11% in 2023.

****Building Stronger Defences****

To help financial institutions better prepare, FS-ISAC and Akamai have introduced a five-level DDoS Maturity Model. This model helps organizations evaluate their current strengths and weaknesses in defending against DDoS attacks, allowing them to identify areas for improvement, prioritize investments, and boost their ability to withstand these threats.

Steve Winterfeld, Advisory CISO at Akamai, emphasized the ongoing nature of the threat: “Threat actors will continue to leverage DDoS attacks to exploit the security of our institutions.” He highlighted that effective defences involve implementing mitigation strategies, maintaining strong cybersecurity practices, and adopting industry best practices.

It must be noted that this collaboration is part of Akamai’s involvement in FS-ISAC’s Critical Providers Program, launched in 2022 to enhance supply chain security within the financial sector.

Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks

European police, led by Denmark and Sweden, are arresting individuals in a crackdown on violence-as-a-service, where criminal groups recruit teenagers online for contract killings. Learn about Europol's OTF GRIMM task force and how they're fighting this disturbing trend.

European law enforcement agencies, led by Denmark and Sweden, are intensifying their fight against a disturbing new criminal trend: the online recruitment of young people, some as young as 14, to carry out contract killings. This practice, termed violence-as-a-service, sees criminal groups using encrypted online platforms to offer money for shootings, often across national borders.

As per Europol’s press release, recent efforts, spearheaded by Denmark’s National Special Crime Unit and the Swedish Police, have led to several arrests. Following investigations into violent acts, including a shooting in Kokkedal on May 7, 2025, seven individuals, aged between 14 and 26, have either been arrested or surrendered from countries like Sweden and Morocco.

Among those caught are two 18-year-old men from Western Sweden, suspected of actively recruiting youngsters for these deadly tasks. Authorities indicate that some suspects also provided weapons, ammunition, and safe places for these young attackers.

****International Alliance Against Online Crime****

This alarming development has prompted a stronger international response. Europol launched Operational Taskforce (OTF) GRIMM in April 2025 to directly address the use of encrypted services for coordinating contract killings across Europe. The task force now includes Belgium, Denmark, Finland, France, Germany, Iceland (the latest country to join), the Netherlands, Norway, Sweden, and Europol itself, with more nations expected to join soon.

Andy Kraag, Head of Europol’s European Serious Organised Crime Centre, highlighted the severity, stating, “Teenagers being paid to pull the trigger, this is what organised crime looks like in 2025. This is calculated outsourcing of murder by criminal networks that treat human lives as disposable assets.”

****A Familiar Crime****

This isn’t the first time online platforms have been exploited for grave crimes. As Hackread.com recently reported that the global 764 network child abuse ring, led by individuals like Leonidas Varagiannis (21) and Prasan Nepal (20), also used encrypted apps to orchestrate horrific exploitation.

This past case, resulting in arrests in the US and Greece, underscores a persistent challenge: the anonymous nature of digital spaces can facilitate serious criminal activity, including those involving minors.

Europol encourages parents and communities to look for early signs of criminal recruitment, such as sudden behavioural changes or unexplained wealth, offering guides for protection. Law enforcement continues to track the masterminds behind these operations, aiming to dismantle their hidden online infrastructure.

Violence-as-a-Service: Encrypted Apps Used in Recruiting Teens as Hitmen

Anubis ransomware group claims a 64GB data breach at Disneyland Paris, leaking some engineering files and attraction plans via its dark web site.

The infamous Anubis ransomware gang has listed Disneyland Paris as its latest victim. Hackread.com can confirm that the group posted details of the alleged breach on its dark web leak site, stating that the stolen data archive totals 64GB.

Anubis is a ransomware-as-a-service (RaaS) operation that surfaced in December 2024, evolving from an earlier test version named “Sphinx.” It has no connection to the Android banking trojan or Python backdoor that share the same name.

The gang offers profit-sharing models for its affiliates: 80% from encrypted ransom payments, 60% from data leaks, and 50% from access resales. Trend Micro recently reported that the group is using a “Built-in Wiper,” a feature that completely erases/wipes off data from compromised systems.

Regarding the Disneyland Paris incident, the group described it as “the largest data leak in the history of Disneyland Park.” They stated that 39,000 files related to construction and renovation activities at the park were obtained. According to them, the data was acquired during a breach involving one of Disneyland’s partner companies.

Screenshot from the Anubis Ransomware gang’s dark web leak blog (Image credit: Hackread.com)

“During the leak of data of the partner company, 39,000 files related to the construction and renovation of the Disneyland Paris location ended up in our hands,” the group wrote.

To support their claim, the operators announced they would release a portion of the data within the next five hours. So far, images and videos have been uploaded to their site, allegedly showing detailed drawings of various park attractions.

The archive, as per Anubis’ claims includes plans for Frozen, Crush’s Coaster, Pirates of the Caribbean, Big Thunder Mountain, Autopia, Buzz Lightyear, Orbitron, Casey Jr., Phantom Manor, Ratatouille, and more.

Additional images show engineering-related work at the site. To stress the significance of the breach, the group noted that Disneyland typically signs NDAs with employees, strictly prohibiting them from sharing internal material publicly.

Screenshot from the Anubis Ransomware gang’s dark web leak blog (Image credit: Hackread.com)

However, the post does not specify whether any customer or visitor information is included in the files. It also does not clarify if a ransom demand has been issued to Disneyland Paris. On its official Twitter (now X) account, the group was seen bragging about the incident on June 12, 2025.

For now, the breach remains unverified. Hackread.com has contacted Disneyland Paris for comment. This article will be updated if a response is received.

Anubis Ransomware Lists Disneyland Paris as New Victim

A new detection method from Varonis Threat Labs turns hackers' sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses.

Cybersecurity experts at Varonis Threat Labs have identified a clever new way to spot hidden cyberattacks, even those used by highly skilled state-sponsored groups and criminal gangs.

Their new technique, called Jitter-Trap, focuses on identifying patterns of randomness that hackers use to stay secret. This fresh approach aims to catch a tricky part of cyberattacks known as “post-exploitation and C2 communication.”

For your information, attackers often use special software, or beacons, that send signals back to their control centers. These beacons are designed to be hard to find by using random timings, like a heartbeat that speeds up and slows down without a clear pattern.

The Jitter-Trap method flips this idea altogether. Instead of getting fooled by the randomness, Varonis’s research shows that this very randomness creates its own unique fingerprint that security teams can detect.

These beacons are part of larger hacking tools, sometimes called post-exploitation frameworks, such as Cobalt Strike or Sliver. While these tools can be used for good purposes, like testing security, criminals may use them to quietly stay inside a network, steal data, or take over computers. These advanced tools include ways to hide their activity by making their network traffic look like normal internet use, for example, a harmless Microsoft update or a common website visit.

Traditionally, security teams look for known bad files, unusual user actions, or specific network patterns to find these hidden threats. However, hackers are always updating their methods, making it easy to bypass old detection rules or create new ways to avoid being caught. Varonis’s Jitter-Trap specifically looks at how beacons communicate, as per their blog post, shared with Hackread.com.

When these beacons check in with their operators, they use a sleep time and a jitter setting. The sleep is how long they wait between checks, and jitter adds randomness to this wait time. While many legitimate online services also use regular checks, the specific type of randomness created by a beacon’s jitter settings is usually unique.

Sleep with jitter visualization (Source: Varonis)  

Moreover, Varonis found that even though jitter is meant to hide activity, the random timings it produces, especially over longer periods, form a recognizable pattern, like a uniform distribution, that is uncommon in normal network traffic. This allows security experts to identify these subtle differences. The technique also applies to other random elements, such as the size of data being sent or the way web addresses (URLs) are generated.

This detection method helps security professionals better defend against advanced threats. By looking for these specific random patterns, organizations can spot and stop hidden cyber activity more effectively, using the attackers’ own evasion techniques against them.

New Detection Method Uses Hackers’ Own Jitter Patterns Against Them

Citizen Lab and Google uncovered a new, sophisticated cyberattack linked to Russian state actors that exploits App-Specific Passwords, bypassing Multi-Factor Authentication. Discover how to protect yourself from these evolving threats.

A new and highly sophisticated cyberattack, believed to be from a Russian state-linked group, has been revealed. This innovative method tricks people into creating and handing over App-Specific Passwords (ASPs), bypassing common security measures like Multi-Factor Authentication (MFA).

This sophisticated attack was jointly disclosed by the Citizen Lab (a research group at the University of Toronto) and Google’s Threat Intelligence Group (GTIG). Their investigation began after Keir Giles, a well-known expert on Russian information operations and a senior associate at Chatham House, contacted Citizen Lab for help after being targeted.

****A Malicious New Approach****

This new attack was different from typical phishing. It was slow and very convincing. It started on May 22, 2025, when Mr. Giles got an email from someone named Claudie S. Weber pretending to be a US State Department official. The email looked real, even with other official addresses in the “CC” line. The attackers took their time, sending over ten emails in several weeks to build trust. Experts think they might have used advanced tools to make their messages sound very natural.

Source: Citizen Lab

The main trick was to get Mr. Giles to sign up for a fake MS DoS Guest Tenant platform. They sent him a professional-looking PDF with instructions. This PDF guided him to create an App-Specific Password (ASP)for his Google account.

The Benign PDF (Source: GTIG)

For your information, an ASP is a special 16-digit code for older apps that don’t work with modern security. The hackers made it seem like this ASP would let him into a secure government system, but it actually gave them full control of his accounts.

****Russian Link and Future Warnings****

GTIG has identified the group behind these attacks as UNC6293. They believe, with some certainty, that UNC6293 is connected to APT29 (aka Cozy Bear), a cyber espionage group linked to Russia’s Foreign Intelligence Service (SVR). Google later detected the attack on Mr. Giles’s accounts, took steps to secure them, and disabled the attacker’s email address.

This incident highlights a growing concern: as standard security like MFA becomes more common, attackers are finding new ways to bypass it. Experts expect more social engineering attacks that target App-Specific Passwords.

Cybersecurity teams are now advised to be wary of how ASPS are used in their organizations and to educate users about these new risks. Google is already working to phase out ASPs for business users in Google Workspaces but still balances security with user needs for personal Gmail accounts.

Hackers Use Social Engineering to Target Expert on Russian Operations

Red Canary uncovers 'Mocha Manakin,' a new threat using paste and runs to deliver custom NodeInitRAT malware, potentially leading to ransomware. Learn to protect your systems.

A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software.

Mocha Manakin uses a deceptive tactic called paste and run (also known as Clickfix or fakeCAPTCHA). This method fools computer users into unknowingly copying and running harmful commands, often disguised as steps to fix access to a document or prove they are human.

These fake instructions bypass regular security checks, making it easy for the malicious script to download further harmful programs onto the victim’s computer. Since August 2024, Red Canary has seen a rise in paste-and-run attacks due to their effectiveness in tricking users.

****NodeInitRAT: A Custom-Built Backdoor Leading to Ransomware?****

According to the company’s technical blog post, what makes Mocha Manakin different is the custom-made malicious program it delivers: a NodeJS-based backdoor called NodeInitRAT. Once a user falls for the paste-and-run trick, a PowerShell command is executed to download a .zip file, which is then saved to the user’s temporary folder, typically C:\Users\<user>\AppData\Local\Temp\.

This .zip archive contains a legitimate node.exe program. The PowerShell then uses this node.exe to run the NodeInitRAT malicious code, passing it directly via the command line.

Attack Chain (Source: Red Canary)

Once installed, NodeInitRAT can secretly gather sensitive network information, run any commands it’s given, and deploy more harmful software. This custom backdoor communicates with its controllers over the internet, often using legitimate Cloudflare tunnels to hide its activity.

As of May 2025, Red Canary has not directly seen Mocha Manakin lead to ransomware. However, based on its capabilities and links to Interlock ransomware activity observed by Sekoia.io, Red Canary believes with moderate confidence that unstopped Mocha Manakin infections could likely result in ransomware attacks. This connection is concerning, highlighting the serious potential for data encryption and financial demands.

****How to Protect Against Mocha Manakin****

Red Canary advises organizations to educate their staff about paste-and-run tactics, teaching them not to follow unexpected instructions that ask them to copy and paste commands into their system. Monitoring for unusual computer behaviours is also crucial. If NodeInitRAT is found, immediately stop active node.exe processes running the malware. The harmful code might also exist in hidden files (like those found in AppData\Roaming) or in Windows Registry entries, which should be deleted to prevent the malware from running again.

For network defence, blocking communication with known harmful domains used by NodeInitRAT can prevent it from connecting with its controllers. Technical teams can also set up detection rules to detect PowerShell commands that use invoke-expression and invoke-restmethod, which are typical signs of Mocha Manakin’s initial infection. By staying alert and implementing these protective measures, organizations can significantly reduce their risk from this growing threat.

New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack

Banana Squad hid data-stealing malware in fake GitHub repos posing as Python tools, tricking users and targeting sensitive info like browser and wallet data.

ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru.

ReversingLabs team, including Principal Malware Researcher Robert Simmons, found over 60 fake project folders, called repositories, on GitHub. These folders looked like real computer hacking tools written in Python, but they were actually trojanized, meaning they contained hidden malicious code.

Malicious code was placed in the top section of the repository, while the lower part appeared harmless (Image via ReversingLabs)

In their earlier attacks, starting in April 2023, Banana Squad put out hundreds of bad software packages under various usernames, researchers noted in their blog post shared with Hackread.com. These programs were designed for Windows computers and aimed to “steal extensive amounts of sensitive data,” including information from computers, apps, web browsers, and even cryptocurrency wallets by redirecting money.

These bad packages were downloaded nearly 75,000 times before they were found and removed. More recently, in November 2024, a harmful project from Banana Squad, found at dieserbenniru, showed a new trick. They used a GitHub feature where long lines of code don’t wrap.

Additionally, attackers added many spaces to push their malicious code off the screen, making it invisible to someone just looking at the code. This makes it much harder to spot the hidden danger. Fake user accounts, often with only one project listed, are commonly used by Banana Squad to host these harmful repositories.

Beyond Banana Squad’s specific activities, the overall increase in OSS risk points to ongoing problems. A new report for 2025 from ReversingLabs shows a changing picture in the safety of open-source software (OSS).

While overall malware found in OSS repositories significantly dropped in 2024 – a 70% decrease across platforms like npm, PyPI, and RubyGems compared to 2023 – the risk to software development from OSS is actually growing.

These threat actors are getting smarter. They are using more hidden and complex ways to attack, especially on platforms like GitHub, instead of just uploading simple malware. This positive trend in malware reduction is partly thanks to better security measures, including mandatory two-factor authentication (2FA) and the OpenSSF’s Malicious Packages Repository, launched in 2023.

Other reports indicate issues like a rise in secret leaks in 2024, where sensitive login details are exposed. Also, a look at top OSS packages revealed many security holes and code rot – a reliance on old, unmaintained code. This means popularity does not equate to security. The evolving threat means everyone using open-source software needs to be more watchful and use better tools to stay safe from groups like Banana Squad and other emerging threats.

Source

HackRead