Researchers uncover 200+ malicious GitHub repositories targeting gamers and developers

Cybersecurity researchers have uncovered a major malware campaign leveraging GitHub, with over 200 trojanized repositories targeting gamers, novice hackers, and developers. The campaign, codenamed Banana Squad by ReversingLabs, centers on Python-based tools laced with malicious payloads designed to steal sensitive data and compromise systems.

The campaign appears to be a continuation of earlier threats targeting the Python Package Index (PyPI), in which bogus packages downloaded over 75,000 times were found to be stealing credentials from Windows users.

Malware disguised as popular tools and cheats

The GitHub-hosted repositories mimicked legitimate projects offering tools such as:

• Steam account checkers

• Discord account cleaners

• Fortnite cheats

• TikTok username scrapers

• PayPal account tools

Once downloaded, these projects silently installed malware, including backdoors, information stealers, and remote access trojans (RATs). In some cases, the malicious code could inject itself into apps like the Exodus cryptocurrency wallet and exfiltrate data to attacker-controlled servers.

GitHub has since removed the identified repositories, but researchers warn that similar malicious projects continue to appear.

A growing supply chain threat

“This is a textbook software supply chain attack,” said Robert Simmons, a researcher at ReversingLabs. “The open-source ecosystem is being weaponized by attackers who know that developers and gamers are looking for free tools.”

The campaign echoes several others recently discovered:

• Water Curse, a multi-stage GitHub-based malware operation found by Trend Micro

• Stargazers Ghost Network, a criminal service uncovered by Check Point that distributes malware through fake GitHub stars and trending projects

• A trojanized Sakura-RAT repo described by Sophos, which compromised users compiling the code

Many of these operations exploit GitHub search optimization tactics, such as starring, forking, and updating malicious repositories to appear legitimate and popular.

Backdoors delivered via code and development tools

The malicious repositories deliver their payloads through several creative techniques:

• Visual Studio PreBuild events

• Embedded Python and JavaScript code

• Malicious screensaver (.SCR) files

• Telegram command-and-control channels

Sophos alone identified at least 133 infected repositories, part of a suspected Distribution-as-a-Service (DaaS) operation dating back to August 2022.

Are the campaigns connected?

While it's unclear if Banana Squad is directly tied to Water Curse or Stargazers Ghost, experts point to overlapping tactics, similar repository names, and shared infrastructure, such as the use of a recurring email address tied to commits: ischhfd83@rambler.ru.

"Whether these campaigns are closely related or simply part of a threat cluster working from the same codebase and playbook merits further investigation," said Chet Wisniewski, Field CISO at Sophos.

What you should do

Security experts are urging GitHub users to:

• Verify repository authors and commit histories

• Avoid downloading scripts from unknown or suspicious sources

• Use endpoint protection tools that detect post-compilation behavior

• Watch for unusual dependencies, post-install scripts, or build triggers