Over 200 Fake GitHub Repositories Caught Secretly Installing Windows Malware
A criminal operation called Muck and Load built a web of 222 phoney code repositories to trick software developers into downloading password-stealing programs, spyware, and cryptominers.

Key points
- Criminals created 222 fake repositories, which are public folders where developers share code, across 190 GitHub accounts to spread Windows malware.
- Security firm Socket uncovered the campaign, dubbed Operation Muck and Load, and found at least 14 confirmed malicious files hidden inside.
- Since 24 January 2026, the attackers published more than 1,200 versions of a poisoned software package, 700 of which carried malware.
- Final payloads included AsyncRAT and Quasar RAT (remote-access tools that hand criminals full control of a victim's computer), the Vidar infostealer (software designed to silently copy passwords and banking details), and XMRig (a program that hijacks your computer's processing power to secretly mine cryptocurrency for the attacker).
- The operation used YouTube, Instagram, Google Docs, and Telegram as hidden staging posts to deliver its final malicious files.
A criminal group built a network of more than 200 fake code repositories on GitHub, the world's largest platform for sharing software, and used them to quietly install malware on Windows computers. Security company Socket published the findings and named the campaign Operation Muck and Load.
How did the attack actually work?
Developers were tricked into downloading what looked like a useful DNS scanning tool, a program that helps map websites and their subdomains. The tool was built to mimic a real, legitimate open-source project called dnsub. Hidden inside was a poisoned Go module, a type of reusable code package, that quietly ran a PowerShell command, a built-in Windows scripting tool, before any legitimate scanning work began. The malicious command was buried under a wall of blank space to make it nearly invisible during a casual code review.
That command pulled down further instructions from so-called dead drops, which are public websites used like secret message boards to pass along criminal instructions without running obvious malware servers. Those dead drops included Pastebin, YouTube video descriptions, Instagram posts, Google Docs, and Telegram channels. Spreading the instructions across so many platforms made the operation hard to shut down: blocking one source still left many others standing.
The final payload arrived as a password-protected archive. The malware decrypted its own download address, fetched the file, unpacked it, and ran it, all without any visible sign to the user.
Socket counted at least 14 unique malware files confirmed across the campaign. The haul included AsyncRAT and Quasar RAT, which give an attacker live remote control of a victim's machine; the Vidar infostealer, which copies saved passwords, browser cookies, and card details; and XMRig-based cryptominers that drain a computer's performance to generate cryptocurrency for the criminals.
Since 24 January 2026, the attackers published over 1,200 versions of the fake package to create an illusion of active, legitimate development. Socket noted the version flood was almost certainly produced by an automated workflow rather than any real engineering work.
If you are a developer who recently added an unfamiliar DNS or subdomain scanning package to a Go project, check your dependency list against Socket's published indicators. Remove anything you did not consciously vet, and scan affected machines for credential theft as a precaution.



