Security researchers and Microsoft have revealed that nearly one million devices were infected worldwide through a massive malware campaign that weaponized GitHub repositories to deliver malicious software.
The attack, first detected in December 2024, originated from illegal streaming sites where hackers embedded deceptive advertising scripts, known as malvertising, into video frames.
When users clicked these manipulated ads, they were redirected through multiple malicious domains until landing on GitHub repositories hosting malware disguised as legitimate software. Once users downloaded these files, their devices were compromised by a sophisticated multi-stage infection chain.
The initial GitHub-hosted payload acted as a dropper, installing reconnaissance tools that collected information such as system configuration, memory size, graphics card details, and operating system versions. This data was Base64-encoded and sent through HTTP requests to command-and-control servers.
In subsequent stages, additional malware was deployed, including the Lumma and Doenerium information stealers and the NetSupport remote access trojan. These payloads allowed attackers to exfiltrate browser credentials, monitor user activity, and maintain prolonged access through registry edits, scheduled tasks, and startup folder scripts.
Microsoft attributed the operation to a cybercriminal group tracked as Storm-0409 (also referenced as Storm-0408 in some reports), known for combining malvertising, phishing, and search engine optimization poisoning tactics to distribute information-stealing or remote access malware.
The threat actors exploited the legitimacy of cloud-hosting platforms like GitHub, Dropbox, and Discord to evade network security filters and build trust among victims. The malware's construction incorporated living-off-the-land techniques, using legitimate Windows tools such as PowerShell and AutoIT to execute code and evade detection.
GitHub and its security team collaborated with Microsoft to remove the infected repositories. However, Microsoft warned that this was one of many ongoing campaigns using trusted online developer platforms to deliver similar threats.
The company underscored that such tactics are becoming increasingly common as cybercriminals exploit cloud-hosted services and whitelisted environments to distribute trojans and information stealers with high persistence and low visibility across both enterprise and consumer networks.
Source: https://www.msn.com/en-us/news/technology/github-users-targeted-with-dangerous-malware-attacks-heres-what-we-know/ar-AA1IRwPD
Commentary
GitHub is a cloud-based development platform that allows individuals and organizations to store, share, and collaborate on code projects through repositories that track changes using Git version control.
It provides tools for version management, project organization, and team workflows, making it a central hub for developers to collaborate efficiently and securely across open-source and private environments.
Organizations within GitHub act as shared accounts that consolidate multiple repositories, teams, and permissions under one administrative structure, offering advanced features to manage access, enforce security policies, and monitor collaboration.
Because of its trusted standing among developers and enterprises, GitHub is frequently targeted by cybercriminals who exploit its legitimate infrastructure to distribute malware or host malicious files disguised as useful software.
Malvertising, or malicious advertising, has emerged as a growing vector for introducing such attacks. It involves the placement of deceptive advertisements across websites or search engines that appear legitimate but redirect users to infected domains or compromised repositories.
As seen in recent campaigns, attackers leverage GitHub's credibility by embedding malware in repositories that mimic legitimate software projects. Through malvertising links, unsuspecting users are lured to repositories where malicious installers or scripts reside.
Once the files are downloaded, attackers can deploy information stealers, trojans, or backdoors that harvest system data, credentials, and network configurations. This method's sophistication lies in its ability to blend into normal corporate traffic patterns while exploiting trusted cloud-host environments to bypass traditional security filters.
For organizations, this convergence of malvertising and GitHub exploitation creates significant loss prevention challenges. Employees engaging in routine development work or seeking open-source tools may inadvertently interact with harmful repositories presented through legitimate-seeming ads. This can lead to system compromise, data theft, or unauthorized remote access across internal networks.
Attackers can infiltrate a company's development pipeline, manipulate source code, or steal authentication tokens used for continuous integration workflows. From an insurance and risk management standpoint, such breaches can result in data loss, business interruption, regulatory consequences, and reputational damage.
Preventing these losses requires an integrated strategy that combines cybersecurity awareness, tooling safeguards, and procedural enforcement.
Organizations should educate employees - particularly developers and IT staff - on the risks associated with clicking sponsored links or installing unauthenticated open-source tools.
Security systems must include threat intelligence capable of detecting anomalous network behavior associated with malicious repositories and verifying the authenticity of downloaded software.
Implementing strong identity and access management controls, code-signature verification, and continuous monitoring of repository activity can significantly reduce exposure.
