A recent threat campaign has emerged, specifically targeting software developers through seemingly legitimate GitHub repositories. Security researchers from ReversingLabs discovered more than 60 GitHub repositories that hosted what appeared to be standard hacking tools developed in Python.
However, closer examination revealed these repositories concealed hundreds of malicious files intended to steal sensitive information from unsuspecting developers. This discovery raises significant concerns as it marks a change in strategies employed by cybercriminals.
Traditionally, malicious packages inundated open-source repositories such as npm and PyPI, but now attackers are employing subtler methods that exploit platforms developers inherently trust. A group known as “Banana Squad,” previously identified by Checkmarx researchers in October 2023, has been particularly active.
This group operates under the name derived from an early malicious domain, bananasquad[.]ru. In their initial campaign launched in April 2023, they deployed numerous harmful packages that garnered nearly 75,000 downloads before being removed by security teams.
Now, they have advanced their tactics to create GitHub repositories that closely resemble legitimate tools, with identical names and descriptions but harboring hidden malware. Banana Squad utilizes a clever trick to conceal malicious code.
By inserting long strings of spaces before the code, they push it far to the right of the display, making it invisible unless a user actively scrolls horizontally, a rare action among developers. This obfuscation technique was first noted by SANS researchers in November, leading to the discovery of a larger operation involving 67 repositories employing this method.
ReversingLabs utilized rigorous investigative techniques to map out the extent of the campaign. They examined suspicious URLs tied to their threat intelligence, which often contained repository names.
By scrutinizing all repositories with matching names, they identified malicious accounts, characterized by their singular existence on GitHub, designed to host harmful code that mimics legitimate projects. Further complicating matters, the attackers also employed advanced encoding techniques for their malicious Python files, utilizing various forms of obfuscation.
When activated, the malware connected to command and control servers, such as dieserbenni[. ]ru, and a new domain, 1312services[.
]ru, was identified for their operations. While GitHub acted swiftly to remove the identified repositories, the worrisome aspect remains that it is unclear how many developers may have unknowingly interacted with the malicious code before its removal.
The incident underscores a significant threat for developers who frequently rely on GitHub and other open-source platforms. To safeguard against such attacks, it is crucial for developers to verify the integrity of the repositories they use and to compare them with trusted versions when possible.
Given GitHub’s prominence among developers worldwide, the potential impact of these sophisticated attacks could be substantial, especially if harmful code infiltrates mainstream development processes.