Cybersecurity researchers have uncovered a significant new campaign in which threat actors have published over 67 GitHub repositories falsely claiming to offer Python-based hacking tools, only to actually deliver trojanized payloads instead. This activity, dubbed Banana Squad by
ReversingLabs, continues a trend of malicious Python exploits previously identified, including a rogue campaign that targeted the Python Package Index (PyPI) last year.
The rogue tools built on a previous report from the SANS Internet Storm Center, which highlighted threats targeting GitHub repositories with the potential to inject malicious code into software like the Exodus cryptocurrency wallet and to harvest sensitive data. This latest discovery showcases the evolution of malicious coding practices aimed specifically at users searching for account cleaning software and game cheats, such as Discord account cleaners and PayPal bulk account checkers.
In response to these findings, GitHub has taken action to remove the identified repositories. Researcher Robert Simmons at ReversingLabs emphasized the growing threat of backdoored code being present in publicly accessible source repositories like GitHub, warning developers to verify the authenticity of the code they utilize. With platforms like GitHub increasingly becoming vectors for malware distribution, developers need to exercise caution.
Furthermore, cybersecurity firm Trend Micro recently reported a separate but related investigation, uncovering 76 other malicious GitHub repositories used by a threat actor named Water Curse to facilitate multi-stage malware attacks. As GitHub continues to be exploited in this manner, the implications for software supply chain security remain critical.