GitHub Malware Campaign Exposed: 109 Fake Repositories Used to Deliver Malicious Code

A recent investigation by cybersecurity researchers has revealed a sophisticated malware distribution campaign on GitHub, with 109 fake repositories used to spread SmartLoader and StealC malware.

The threat actor behind this campaign cloned legitimate open-source projects, creating convincing replicas that were almost indistinguishable from the originals. However, upon closer inspection, the malicious ZIP files contained within these fake repositories revealed the true intentions of the attackers.

The SmartLoader malware uses a unique technique to locate its active command-and-control server by querying a Polygon blockchain smart contract using a JSON-RPC call. This allows the operator to swap infrastructure by updating a single on-chain entry, making it easier to evade detection.