Fake GitHub Pages Impersonate 292 Real Brands to Push Password-Stealing Malware

A Russian-speaking crew built hundreds of lookalike project pages for security tools, wallets and dev software. One click on 'Download Secure Content' handed over browser passwords, crypto wallets and chat sessions.

ThreatVectr Newsdesk· 4 min read
Full-frame photoreal editorial shot of a laptop screen showing a generic code-hosting website layout with a prominent green download button, glowing faintly, re
Share

Key points

  • Arctic Wolf found 292 fake GitHub repositories built to impersonate real security, crypto and developer software, with the campaign starting on 26 June.
  • The malware steals data from 19 web browsers, 32 cryptocurrency wallets, Telegram, Discord, Steam and Meta's Max messenger.
  • The stealer, a variant of the BoryptGrab family, can bypass Google Chrome's App-Bound Encryption by injecting code straight into the browser.
  • Stolen data is packaged up and sent to a command server based in Russia.
  • GitHub has taken down most of the fake pages, but several dozen redirector pages remained live at the time of reporting.

A financially motivated crew, likely Russian-speaking, spent the summer flooding GitHub with fake project pages that looked like the real thing. Anyone searching Google for a well known security tool, a crypto wallet, a secure email app or a Mac utility risked landing on one.

GitHub, for readers who have not used it, is the world's biggest home for software source code. Companies and hobbyists alike publish their projects there, which is exactly why criminals like to squat on it. A page that ends in github.io looks legitimate at a glance.

The campaign was mapped by security firm Arctic Wolf after the company noticed one of its own products being impersonated. In total, researchers counted 292 fake repositories, each with a README file pointing to a download page. The story was first reported by BleepingComputer.

How did people end up downloading it?

The fake pages were built to look reassuring. Visitors saw a button labelled "Download Secure Content" and fake trust badges suggesting the file had been scanned and approved. Search engine results did the rest of the work, pulling in traffic from people hunting for free copies of paid software.

The pages were all generated from a single template. The URL itself told the page which brand to display, replacing hyphens with spaces and adjusting capital letters, so one bit of code could pose as dozens of different companies.

What the malware actually does

Click the download button and you got a ZIP archive. The filename and contents were rotated roughly every minute, a trick that makes it harder for antivirus software to spot a fixed pattern.

Inside the archive were two files. One was a legitimate, properly signed piece of software called WinGUP, an updater tool. The other was a booby-trapped file called libcurl.dll. When the user ran the signed program, it automatically loaded the poisoned file next to it, a technique known as DLL side-loading. That let the malicious code run under the cover of a trusted, signed application.

From there, an information stealer unpacked itself entirely in memory. It never wrote itself to disk as a normal file, which helps it slip past some security tools.

The shopping list is long. It grabs saved passwords, cookies and payment details from 19 browsers, drains 32 brands of cryptocurrency wallet, and lifts login sessions for Telegram, Discord, Steam and Meta's Max messenger. It scoops up whatever Windows itself has stored in Credential Manager. It hunts through the Desktop and Documents folders for files with names suggesting passwords, recovery phrases or wallet backups. It takes screenshots and a list of installed programs for good measure.

One detail stands out. This variant of BoryptGrab can defeat Chrome's App-Bound Encryption, the protection Google added to stop other programs reading a user's saved passwords. It does so by injecting code directly into the running Chrome process.

The stolen bundle is then compressed and shipped to a server in Russia.

Should ordinary users be worried?

Yes, if you are in the habit of searching for free versions of paid software. The malware does not stick around after it runs, so you may never notice you were hit. By then the passwords are gone.

Anyone who downloaded a security tool, wallet app or developer utility from an unfamiliar GitHub page in recent months should change important passwords from a clean device, move any cryptocurrency to a fresh wallet, and sign out of all sessions on Telegram, Discord and Steam.

Arctic Wolf could not pin the campaign on a named group. GitHub has pulled most of the fake repositories, though a handful of redirector pages were still live when the report went out.

© 2026 Threat Vectr