GitHub has been exploited to distribute the Lumma Stealer information-stealing malware, masquerading as fake fixes in project comments. The campaign was initially reported by a contributor to the teloxide rust library, who noticed five different comments on their GitHub issues that pretended to be fixes but were actually pushing malware.
Upon further investigation, BleepingComputer found thousands of similar comments posted to various projects on GitHub, all offering fake fixes to other users’ questions. The solution instructs users to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been set to “changeme” in all observed comments.
The malware, Lumma Stealer, is an advanced info stealer that attempts to steal cookies, credentials, passwords, credit cards, browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. It can also steal cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, and so on.
The stolen data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces. While GitHub Staff has been deleting these comments as they are detected, people have already fallen victim to the attack.
For those who ran the malware, it is essential to change passwords at all accounts using unique passwords for each site and migrate cryptocurrency to a new wallet. This campaign bears resemblance to a similar campaign by the Stargazer Goblin threat actors, who created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub to push information-stealing malware.
In related news, a contributor reported that their account was banned after quote-replying to a bot’s comment with “Damn, malware authors getting advanced these days” to warn others about the bot. The contributor had used markdown, which copied the bot’s original message into their comment, resulting in GitHub mistakenly flagging it as a malware link and banning their account.
Source: https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/