Threat Research

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

Threat actors distributed fake OpenClaw installers through malicious GitHub repositories to infect users with information stealers and the GhostSocks proxy malware. The campaign used a custom Stealth Packer to evade detection and targeted users searching for OpenClaw installers on Windows and macOS....

We uncovered an attack chain that uses SEO poisoning to lure users searching for legitimate software. Threat actors abuse GitHub by hosting malicious ZIP files in fake repositories. These archives impersonate real applications and include a harmful batch (.bat) file....

North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how....

Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down....

Since early August 2025, a sophisticated malvertising campaign has been observed where attackers abuse GitHub’s repository forking system to deliver a fake GitHub Desktop client. The attackers create dangling commits by forking legitimate repositories, injecting malicious commits, and then deleting the fake user accounts....

On 19 August 2025, a sophisticated malware delivery campaign was uncovered involving the abuse of GitHub repositories and Google Ads. Threat actors used paid ad placements to redirect users to a lookalike domain hosting a malicious download. By embedding commit-specific GitHub links, the download appeared legitimate, bypassing user suspicion....

A recent malware campaign hosted on GitHub abuses popular lures like “Free VPN for PC” and “Minecraft Skin Changer” to trick users into executing a malicious dropper named Launch.exe. The campaign uses techniques such as process injection, DLL side-loading, and stealthy execution to deploy Lumma Stealer, an information-stealing malware....

Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools....

AI-assisted fake GitHub repositories are being used to distribute SmartLoader, which delivers Lumma Stealer and other malware. These repositories disguise malicious software as gaming cheats and cracked tools, evading detection through AI-generated content....