A new campaign exploiting GitHub to distribute malicious Python code disguised as legitimate hacking tools has been uncovered by cybersecurity researchers.
The operation, tied to the group known as Banana Squad, used 67 repositories hosting trojanized files that mimicked benign open-source projects.
Discovered by ReversingLabs, the campaign reflects a shift in open-source software supply chain attacks. While overall volumes of malicious uploads to repositories like PyPI and npm have dropped, attackers are now leveraging more covert tactics to target platforms like GitHub.
In this instance, threat actors exploited GitHub’s interface to conceal backdoor code using long space strings, making the malicious content invisible in normal view.
Banana Squad, originally identified by Checkmarx in late 2023, had already made headlines with a series of Windows-targeting malware packages uploaded to Python repositories earlier that year. Those packages were downloaded nearly 75,000 times before takedown.
This newer campaign used repositories that appeared identical to legitimate ones by name.
Each GitHub account typically hosted just one repository, a sign they were likely fake and created solely to deliver malicious content. These accounts often included “About” sections with theme-related keywords, emojis and unique, dynamically generated strings.
Researchers traced the origin of these repositories through malicious URL indicators, notably domains such as dieserbenni[.]ru and, more recently, 1312services[.]ru.
Hidden code within the Python files used encoding methods, including Base64, Hex and Fernet encryption, to obscure their payload delivery functions.
Read more on software supply chain security trends: AI Hallucinations Create "Slopsquatting" Supply Chain Threat
To mitigate risks from similar threats, ReversingLabs recommends that developers:
-
Verify repositories match known good versions
-
Avoid reliance on single-repository GitHub accounts with little activity
-
Monitor for suspicious domains like dieserbenni[.]ru
-
Use tools that support differential analysis of source code
All 67 identified repositories were removed by GitHub following notification. The number of developers affected remains unknown, but due to the breadth of the campaign, researchers believe victims are likely.
Image credit: Wirestock Creators / Shutterstock.com
No tags.
