One Single GitHub User Was Responsible For Over A Hundred Backdoored Malware Repos

Utter And Complete Smegheads

Thanks to the curiosity of a Sophos customer about a specific remote access trojan they read about in the news, 100+ poisoned GitHub repos were not just taken down, but tracked back to a single email address.  Of the 141 repos associated with that email address 133 were backdoored in some way or another.  The repos themselves spanned the gamut of supposed game cheats to cryptocurrency tools to tools to spread malware, and almost all of them were intended to install the Sakura RAT malware, a descendant of AsyncRAT.  It is a little amusing to think at least some of the people downloading code to try to infect others, were infected by the code they downloaded.

There may be more than one person behind the email address associated with the various GitHub repos, but they are now all down and no longer able to spread infections to the unwary.  The people behind these sites put a lot of effort into making the repos look legitimate, GitHub Actions workflows were used to automate commits to repos, often in the thousands, making them look well maintained.  This likely lead people looking for game cheats to consider it trustworthy and they probably shared it with other cheaters.  

It’s nice to have some good news on a Friday for a change.