GitHub is being abused to spread Lumma Stealer malware through fake fixes in comments. Learn how to protect yourself from this sophisticated attack.

Continue reading
GitHub, a widely used platform for hosting and collaborating on software projects, is being exploited to distribute the Lumma Stealer, a sophisticated information-stealing malware, under the guise of fake fixes in project comments. This malicious campaign targets developers and contributors by luring them into downloading and executing harmful files disguised as legitimate solutions to technical issues.
Campaign Discovery: The malicious activity was first reported by a contributor to the Teloxide Rust library, who shared their experience on Reddit after receiving multiple comments on their GitHub issues. These comments purported to offer fixes but instead contained links to malware. Subsequent investigations revealed that this was not an isolated incident; thousands of similar comments were found across numerous GitHub repositories, all aiming to trick users into downloading malware.
Modus Operandi: The attackers craft comments that appear to be genuine responses to issues raised on GitHub. These comments typically direct users to download a password-protected archive from a file-sharing service like MediaFire or a shortened URL via Bit.ly. The archive, deceptively named something innocuous like "fix.zip," contains a few DLL files and an executable named `x86_64-w64-ranlib.exe`.
Upon running this executable, the Lumma Stealer malware is deployed on the victim's system. Lumma Stealer is an advanced information stealer that targets a wide range of sensitive data, including:
The stolen data is then compiled into an archive and exfiltrated to the attacker's server. This data can be exploited in further attacks or sold on underground cybercrime marketplaces.
Scope of the Attack: Reverse engineer Nicholas Sherlock informed BleepingComputer that over 29,000 comments distributing this malware were posted within a span of just three days. This widespread campaign indicates a high level of automation and suggests that the attackers are likely using scripts or bots to distribute the comments at scale.
GitHub’s Response: GitHub's security team has been actively removing these malicious comments as they are identified. However, the scale of the attack and the persistence of the threat actors present significant challenges. Despite these efforts, some users have already fallen victim to the scam, unknowingly compromising their systems.
Mitigation and Recommendations: For those who have inadvertently executed the malware, immediate action is crucial:
Broader Implications: The Lumma Stealer campaign is part of a broader trend of increasing cyber threats targeting software developers and platforms like GitHub. The attackers exploit the trust inherent in open-source communities, where users often share code and solutions freely, to disseminate malware.
Last month, Check Point Research disclosed a similar campaign orchestrated by the Stargazer Goblin threat group. This group used a malware Distribution-as-a-Service (DaaS) model to distribute information-stealing malware via over 3,000 fake GitHub accounts. While it remains unclear if the current Lumma Stealer campaign is connected to the Stargazer Goblin group, the tactics bear striking similarities, suggesting that GitHub may be an ongoing target for various threat actors.

Suspected China and India nexus actors both compromised Balochistan Police systems, planting malware in a public complaint portal used by citizens.