Listen to this Post
Introduction: When Trusted Code Repositories Become Digital Trapdoors
GitHub has become one of the most important foundations of modern software development. Millions of developers rely on it every day to share code, collaborate on projects, and accelerate innovation. But the same openness that makes GitHub powerful can also become a weapon in the hands of cybercriminals.
A recent investigation uncovered a sophisticated malware campaign that abused GitHub repositories, fake open-source projects, and automated development workflows to create an illusion of legitimacy. The operation, tracked as Muck and Load, revealed how attackers built a large network of malicious repositories designed to appear active, trustworthy, and maintained by real developers.
The campaign started from a single suspicious Go module pretending to be a DNS and subdomain scanning tool. Instead of providing security functionality, the project acted as a malware delivery mechanism. Further investigation uncovered 222 confirmed malicious GitHub repositories connected to 190 accounts, exposing a coordinated operation involving trojan loaders, information stealers, spyware, and cryptocurrency miners.
This campaign represents a growing cybersecurity problem: attackers are no longer only breaking into systems. They are manipulating the software supply chain itself, turning trusted developer ecosystems into distribution channels for malware.
The Fake Security Tool That Opened the Investigation
A Normal-Looking Go Module With a Hidden Purpose
Socket’s security researchers began their investigation after discovering a suspicious Go package named:
github[.]com/kaleidora/dnsub-scanning-tool
The project appeared to be a legitimate DNS and subdomain enumeration utility. Its documentation described features commonly found in cybersecurity reconnaissance tools, making it attractive to developers and security professionals.
However, the actual behavior of the software was completely different.
Instead of performing network discovery tasks, the module secretly executed a hidden PowerShell command before any scanning functionality started. The tool was not designed to help defenders. It was designed to compromise them.
The discovery exposed a much larger ecosystem of fake projects created to trick users into downloading and running malicious code.
Muck and Load: A Malware Operation Built Around Fake Activity
Manufacturing Trust Through Artificial Development
The attackers behind the campaign created hundreds of GitHub repositories with carefully designed appearances.
The repositories contained:
Professional-looking README files
Frequent version releases
Automated commits
Fake developer activity
Popular technology keywords
Attractive project names
The goal was simple: make malicious software look like a real open-source project.
A major discovery was the unusual number of published versions for the original Go module. The project had more than 1,200 releases, with over 700 identified as malicious, despite being created only a few months earlier.
This was not normal software development.
The attackers used GitHub Actions automation to repeatedly generate artificial commits, modify timestamps, and create the illusion of continuous maintenance.
The fake activity acted as social engineering. Developers often trust projects that appear active and recently updated. The attackers exploited that behavior.
The Hidden PowerShell Loader Inside the Go Package
The First Stage of the Malware Infection Chain
The malicious Go module contained a hidden execution process inside its main() function.
Before performing any legitimate-looking operation, it launched PowerShell and downloaded another script from attacker-controlled infrastructure:
muckcoding[.]com
The downloaded file was saved as:
api.db
Then the malware used:
certutil
to decode the content and transform it into:
L.ps1
Finally, the script executed silently with:
-ExecutionPolicy Bypass
and a hidden window.
This technique allowed the malware to avoid common PowerShell restrictions while minimizing visibility.
The combination of:
Hidden execution
External script retrieval
Script decoding
Policy bypass
clearly indicated malicious intent.
Deep Analysis: Understanding the Malware Execution Chain
PowerShell Investigation Commands
Security researchers can analyze suspicious PowerShell activity using commands like:
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
This helps identify suspicious script executions and command activity.
Searching for Hidden PowerShell Abuse
A basic investigation command:
Get-Process powershell | Select-Object Id,Path,StartTime
can reveal unexpected PowerShell instances.
Suspicious command lines can be searched with:
Get-CimInstance Win32_Process |
Where-Object {$_.CommandLine -match "ExecutionPolicy Bypass"}
Detecting Suspicious GitHub Repository Activity
Security teams investigating repository abuse can analyze commit history:
git log --pretty=format:"%h %an %ae %ad" --date=iso
This helps identify unusual patterns such as:
Repeated automated commits
Changing usernames
Same email fingerprints
Checking Malware Hashes
Threat investigators should verify downloaded files:
sha256sum suspicious_file.exe
Example:
sha256sum Quixo.7z
Hash comparison helps determine whether files match known malware samples.
Detecting Persistence Mechanisms
Attackers commonly create scheduled tasks:
schtasks /query /fo LIST
Security analysts can search for unexpected persistence entries.
Multi-Layer PowerShell Malware Loader
Encryption, Dead Drops, and Hidden Payload Retrieval
The file L.ps1 was not a simple script.
It contained multiple layers of protection using:
Base64 encoding
XOR encryption
Encrypted payload locations
Public platform dead drops
The script avoided storing the final malware URL directly.
Instead, it searched public websites for encrypted information.
The dead-drop locations included:
Pastebin
Telegram
YouTube
Google Docs
GitCode
Other attacker-controlled services
The malware searched downloaded content for a marker:
LastW
After finding the marker, it extracted encrypted data and decrypted it using a hardcoded key.
This approach makes infrastructure takedowns more difficult because attackers can replace individual links without rebuilding the malware.
The Quixo Payload Delivery System
Disguising Malware as Legitimate Software
The decrypted location pointed to a GitHub release containing:
Quixo.7z
The archive was password protected and extracted using a hidden copy of 7-Zip placed at:
C:ProgramDatazipathh7zrr.exe
The malware then dropped files into:
C:ProgramDataWindows.Microsoft.Photos
The directory name was carefully chosen to imitate a legitimate Microsoft application.
Inside the folder was:
Microsoft.exe
However, the executable was not a Microsoft product.
The digital signature belonged to:
Exodus Movement, Inc.
This suggests attackers abused or repackaged a signed Electron-based component to create additional trust.
GitHub Actions Became the Attacker’s Fingerprint
The Hidden Identity Behind Hundreds of Accounts
The most important discovery was not a malware sample.
It was a pattern.
Across the 222 confirmed repositories, researchers found the same GitHub Actions workflow behavior:
Automated commits every minute
Force pushes
Timestamp file modifications
Artificial development history
Same attacker-linked email address
The visible GitHub usernames changed between repositories, but the underlying email remained consistent.
This became the strongest connection between seemingly unrelated accounts.
Attackers attempted to hide behind hundreds of identities, but their automation habits revealed them.
Social Engineering Through Popular Developer Interests
Why These Fake Projects Were Successful
The attackers did not randomly choose repository themes.
They targeted communities where users are more likely to download and execute unknown software.
Popular lures included:
Cryptocurrency tools
Wallet utilities
Telegram bots
Game automation software
Game cheats
Web3 applications
Security tools
Offensive hacking utilities
These categories attract users willing to test experimental software, making them ideal malware distribution channels.
Malware Payloads Found Across the Campaign
From Information Theft to Remote Control
The campaign distributed multiple types of malicious payloads:
Vidar information stealer
AsyncRAT
Quasar RAT
Remcos-style remote access tools
XMRig cryptocurrency miners
Spyware components
Trojan loaders
The malware capabilities included:
Browser credential theft
Screenshot collection
Remote command execution
Defender modification
UAC manipulation
Persistence creation
Cryptocurrency mining
Some repositories directly hosted malware binaries.
One PUBG-themed repository contained a loader associated with Vidar.
A Warzone-themed project distributed malware through GitHub release files.
A single malicious executable appeared identically across several repositories, showing automated reuse.
What Undercode Say:
The Software Supply Chain Is Becoming the New Battlefield
The Muck and Load campaign demonstrates a major evolution in cybercrime.
Attackers are no longer depending only on phishing emails or infected websites.
They are targeting the places developers already trust.
GitHub has become part of the modern software supply chain, which means attackers understand that reputation is as valuable as code.
The most dangerous part of this campaign was not the malware itself.
The malware was expected.
The real innovation was the psychological manipulation.
Attackers created fake histories, fake communities, fake contributors, and fake maintenance records.
They understood how developers evaluate software.
A repository with hundreds of commits feels safer than a new account with one file.
A project with detailed documentation feels professional.
Frequent releases create confidence.
The attackers weaponized those assumptions.
The use of GitHub Actions was especially interesting because automation became the attacker’s signature.
The same technology developers use to improve productivity became a tool for creating fake credibility.
This shows a larger cybersecurity trend.
Future attacks will increasingly focus on trust infrastructure rather than only technical vulnerabilities.
Organizations will need to evaluate not just whether code works, but whether the project itself is authentic.
Repository age alone cannot prove safety.
Commit history alone cannot prove legitimacy.
Stars, downloads, and forks can also be manipulated.
Security teams must analyze behavior patterns.
They need to examine:
Who created the project?
How were commits generated?
Are releases realistic?
Does the code match the description?
Are dependencies trustworthy?
The Muck and Load operation also highlights the danger of blindly executing developer tools.
A DNS scanner, wallet utility, or automation script can become an entry point into an entire organization.
Developers often have privileged access.
A compromised developer workstation can lead to:
Source code theft
Credential exposure
Cloud compromise
Internal network attacks
The campaign proves that open-source security is not only about vulnerabilities.
It is also about authenticity.
The future of cybersecurity will require stronger software identity systems, better repository verification, and more intelligent supply chain monitoring.
Attackers are building fake software companies at scale.
Defenders must build better ways to identify what is real.
Prediction
(+1) The cybersecurity industry will increase investment in software supply chain monitoring, AI-based repository analysis, and developer-focused security tools as GitHub abuse becomes more common.
(+1) Automated threat detection will become better at identifying fake development patterns, including synthetic commits, suspicious release behavior, and coordinated repository networks.
(-1) Open-source ecosystems will continue facing abuse because attackers can easily create convincing fake projects faster than humans can manually review them.
(-1) Developers who rely only on popularity metrics such as stars, forks, and recent updates will remain vulnerable to sophisticated social engineering campaigns.
✅ The investigation of the Muck and Load campaign identified hundreds of malicious GitHub repositories using fake development activity and malware delivery techniques.
✅ The malware chain involving PowerShell loaders, encoded scripts, and staged payload retrieval matches common modern malware distribution methods.
✅ The connection between repositories was based on repeated infrastructure patterns, automation behavior, and attacker-linked indicators rather than a single indicator alone.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




