Cybersecurity researchers have uncovered a large-scale campaign in which attackers created at least 292 fake GitHub repositories impersonating popular software projects to distribute the BoryptGrab infostealer, which steals passwords, cryptocurrency wallet data, and other sensitive information.
The campaign was uncovered by researchers at Arctic Wolf. According to their findings, the attacks began on June 26, 2026, and primarily target Windows users. Rather than exploiting vulnerabilities in GitHub itself, the attackers rely on social engineering, disguising their repositories as legitimate software projects, developer tools, cryptocurrency services, cybersecurity products, and other popular applications.
The investigation began after one of the fake repositories impersonated an Arctic Wolf project. That discovery prompted researchers to examine the campaign more closely, ultimately revealing hundreds of fraudulent repositories.
The malicious payload is not hosted directly on GitHub. Instead, the fake repositories contain convincing README files along with prominent download buttons or links. Clicking them redirects users to an external website, where they unknowingly download a trojanized installer.
Once executed, the installer uses a DLL sideloading technique to silently launch the BoryptGrab infostealer. The malware then steals passwords stored in web browsers, cryptocurrency wallet data, and other sensitive information from the victim’s system.
Researchers say GitHub has already removed a significant number of the malicious repositories. However, they believe the threat actor has automated the creation of new accounts, allowing fresh repositories to appear quickly after existing ones are taken down.
This is not the first time GitHub has been abused to distribute malware. Just last month, researchers identified more than 10,000 fake repositories containing trojans. Previous campaigns have also included North Korean threat actors, fake Microsoft and Google Chrome repositories, and attacks targeting AI developers through fraudulent cryptocurrency reward offers.
While GitHub remains one of the world’s most important platforms for software development, it is increasingly being exploited by cybercriminals to distribute malware. Users are advised to verify repository owners and carefully check download links before installing any software.