Massive Active GitHub Malware Campaign Identifies Hundreds of Malicious Repositories

A massive and coordinated malware distribution campaign is targeting GitHub users through hundreds of malicious repositories. Attackers are forking legitimate open-source projects, replacing download links with .ZIP files containing malware, and using README files with emoji headers and suspicious links. The associated accounts exhibit similar structures (two repositories, descriptions with emojis, falsified commit history) and target sensitive data such as cryptocurrency wallets or browser credentials. Antivirus detection remains low (12/66 on VirusTotal), and the tactics employed include multi-stage execution via LuaJIT and evasion techniques.