{"id":3637,"date":"2025-06-20T12:09:42","date_gmt":"2025-06-20T12:09:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3637"},"modified":"2025-06-20T12:09:42","modified_gmt":"2025-06-20T12:09:42","slug":"github-hit-by-a-sophisticated-malware-campaign-as-banana-squad-mimics-popular-repos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3637","title":{"rendered":"GitHub hit by a sophisticated malware campaign as \u2018Banana Squad\u2019 mimics popular repos"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A threat group dubbed \u201cBanana Squad,\u201d active since April 2023, has trojanized more than 60 GitHub repositories in an ongoing campaign, offering Python-based hacking kits with malicious payloads.<\/p>\n<p>Discovered by ReversingLabs, the malicious public repos each imitate a well-known hacking tool to look legitimate but inject hidden backdoor logic.<\/p>\n<p>\u201cAt first glance (they) appear to be hacking tools written in Python (but) were actually trojanized look-alikes of other identically named repositories,\u201d Principal Malware Researcher Robert Simmons said in a blog post. \u201cThe repositories were discovered by working backwards from the malicious URL indicators in ReversingLabs\u2019 network threat intelligence dataset.\u201d<\/p>\n<p>Simmons noted that the campaign represents a shift from blatant <a href=\"https:\/\/www.csoonline.com\/article\/4004261\/new-npm-threats-can-erase-production-systems-with-a-single-request.html?utm=hybrid_search\">npm<\/a>\/<a href=\"https:\/\/www.csoonline.com\/article\/4008240\/malicious-pypi-package-targets-chimera-users-to-steal-aws-tokens-ci-cd-secrets.html?utm=hybrid_search\">PyPI<\/a> knock-offs to more subtle exploitation of platforms like GitHub.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Malware posing as hacking tools<\/h2>\n<p>Each of the 67 poisoned repositories found was impersonating a legitimate utility-like credential stealer, vulnerability scanner, or other infosec-themed tools. But these versions come with malicious code stealthily embedded in massive strings, white space gaps, or cryptic logic hidden far off-screen.<\/p>\n<p>\u201cThere are many spaces on the trojanized line of code, making it so that even on a large monitor at 4K with a maximized window, the malicious code is not in view,\u201d Simmons said, explaining the <a href=\"https:\/\/www.reversinglabs.com\/blog\/threat-actor-banana-squad-exploits-github-repos-in-new-campaign\">Banana Squad<\/a>. \u201cHowever, viewing the file in <a href=\"https:\/\/docs.reversinglabs.com\/SpectraAnalyze\/\">Spectra Analyze\u2019s<\/a> Preview feature clearly shows what the content is.\u201d<\/p>\n<p>Attackers stuffed harmful Python into a single unreadably long line, hoping users would never scroll far enough to notice.<\/p>\n<p>Banana Squad previously pushed hundreds of Windows-based malware packages to the open-source code ecosystem, including version control systems, PyPI and npm package managers, under multiple aliases. These packages, <a href=\"https:\/\/checkmarx.com\/blog\/the-evolutionary-tale-of-a-persistent-python-threat\/\">spotted<\/a> in April 2023, stole sensitive data, including system details and crypto wallets, and were downloaded nearly 75000 times before takedown.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The campaign had a tell<\/h2>\n<p>ReversingLabs observed a few telling signs about the repositories that can help catch the infection at its source. \u201cFor the majority of the malicious repositories, the owner only has that (the malicious one) one repository listed under its GitHub account,\u201d Simmons said. \u201cThis indicates that these kinds of user accounts are almost certainly fake and created for the express purpose of hosting a malicious repository.\u201d<\/p>\n<p>The repository names were found to be identical to one or more other non-trojanized repositories, indicating some form of typo-squatting at play. Additionally, the \u201cAbout\u201d section of these repositories was packed with search keywords related to the original repository\u2019s theme and often included an emoji, usually a flame or a rocket ship, hinting at the use of AI.<\/p>\n<p>ReversingLabs shared a list of campaign indicators, including domains, URLs, and filenames, along with all 67 flagged repositories for developers to watch out for.<\/p>\n<p>\u201cFor developers relying on these open-source platforms (GitHub), it\u2019s essential to always double-check that the repository you\u2019re using actually contains what you expect,\u201d Simmons cautioned. \u201cHowever, the best way to avoid running into this threat is to compare the desired repository to a previous, known good version of the software or source code.\u201d<\/p>\n<p>More GitHub security news:<\/p>\n<p><a href=\"https:\/\/www.infoworld.com\/article\/3844407\/github-to-unbundle-advanced-security.html\">GitHub to unbundle Advanced Security<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3969648\/github-secrets-deleted-files-still-pose-risks.html\">GitHub secrets: Deleted files still pose risks<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4008621\/github-actions-attack-renders-even-security-aware-orgs-vulnerable.html\">GitHub Actions attack renders even security-aware orgs vulnerable<\/a><\/p>\n<p><a href=\"https:\/\/www.infoworld.com\/article\/3953663\/github-upgrades-tooling-to-help-developers-stop-leaking-secrets.html\">GitHub upgrades tooling to help developers stop leaking secrets<\/a><\/p>\n<p><a href=\"https:\/\/www.infoworld.com\/article\/3849245\/github-suffers-a-cascading-supply-chain-attack-compromising-ci-cd-secrets.html\">GitHub suffers a cascading supply chain attack compromising CI\/CD secrets<br \/><\/a><\/p>\n<p>&gt;<\/p><\/div>\n\n<p>&gt;<\/p><\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A threat group dubbed \u201cBanana Squad,\u201d active since April 2023, has trojanized more than 60 GitHub repositories in an ongoing campaign, offering Python-based hacking kits with malicious payloads. Discovered by ReversingLabs, the malicious public repos each imitate a well-known hacking tool to look legitimate but inject hidden backdoor logic. \u201cAt first glance (they) appear to [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3637","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3637"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3637"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3637\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3636"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3637"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}