A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.
Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers’ work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.
Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages. These actions—which are loosely similar to liking, sharing, and subscribing, respectively—help make the pages appear popular and genuine. The more stars, the more realistic a page looks. “The malicious repositories appeared really legitimate,” Terefos says.
“The way he has developed it is really smart, taking advantage of how GitHub operates,” Terefos says of the person behind the persona. While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform. The buying and selling of repositories and starring is coordinated on a cybercrime-linked Telegram channel and criminal marketplaces. WIRED previously reported on other GitHub black markets.
The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe’s Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.
The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.
“We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” says Alexis Wales, vice president of security operations at GitHub. “We have teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.”
GitHub has more than 100 million users who have contributed over 420 million repositories on the platform. Given the breadth of the platform, it’s unsurprising that cybercriminals and hackers are attempting to abuse it. In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.