GitHub, a widely used platform for software development collaboration, is currently being misused to spread a type of malware designed to steal sensitive information. Known as ‘Lumma Stealer,’ the malware is being distributed through fake “fixes” posted in the comments of various GitHub projects.
The malicious campaign was initially flagged by a contributor to the Teloxide Rust library, who shared their experience on Reddit. They reported encountering multiple comments on their GitHub issues that masqueraded as helpful fixes but were, in reality, attempts to deploy malware.
Beware, GitHub users
A deeper investigation by BleepingComputer has uncovered thousands of similar comments scattered across numerous GitHub repositories. These comments, pretending to offer solutions to technical problems, encourage users to download files from the links provided. Typically, these links lead to a password-protected archive hosted on MediaFire or redirected through a shortened Bit.ly URL.
Once users download and extract the archive using the password “changeme”, which has been consistently used in this campaign, they are tricked into running a malicious executable file hidden within.
Nicholas Sherlock, a reverse engineer, informed BleepingComputer that more than 29,000 such comments promoting the malware have been identified over just three days. Lumma Stealer, the malware in question, is particularly advanced in its design.
Upon execution, it attempts to extract a range of personal and sensitive data from the user’s system. This includes login credentials, passwords, credit card details, cookies, and browsing histories from popular web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.
Additionally, Lumma Stealer targets cryptocurrency assets by searching for wallet files and private keys. It looks for specific filenames like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, as well as any files with .txt and .pdf extensions, which are often used to store sensitive information.
After gathering this data, the malware compresses it into an archive file and transmits it back to the attacker. The stolen information can then be exploited in further cyber-attacks or sold on dark web forums and cybercrime marketplaces, increasing the risk for the victims.
Despite GitHub’s efforts to remove these malicious comments as they are identified, reports indicate that some users have already fallen victim to this scheme. Those affected by this malware are strongly advised to immediately change their passwords across all online accounts, ensuring each password is unique. Additionally, users with cryptocurrency holdings should transfer their funds to new, secure wallets to prevent further theft.
Software development platform seen as increasingly useful attack vector
This recent wave of attacks follows a similar trend observed last month. Check Point Research reported a campaign led by the Stargazer Goblin group, which used over 3,000 fake GitHub accounts to create a Malware Distribution-as-a-Service (DaaS) network. This network was used to deploy information-stealing malware on a large scale.
At present, it is not clear whether the current activity involving Lumma Stealer is connected to the Stargazer Goblin campaign or if it is a new campaign orchestrated by another group of cybercriminals. GitHub users and developers are advised to exercise caution when interacting with comments on their projects and to verify the authenticity of any suggested fixes or updates.
Last month, a malware attack targeted the IT network of Switzerland-based Schlatter Industries. The company described the attack as a sophisticated and professional cyber assault conducted by criminals aiming to extort the organisation.
Written by Swagath Bandhakavi
Read more: Cicada3301 ransomware emerges, targets global companies with extortion tactics
