A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub

A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.

Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers’ work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.

Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages. These actions—which are loosely similar to liking, sharing, and subscribing, respectively—help make the pages appear popular and genuine. The more stars, the more realistic a page looks. “The malicious repositories appeared really legitimate,” Terefos says.

“The way he has developed it is really smart, taking advantage of how GitHub operates,” Terefos says of the person behind the persona. While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform. The buying and selling of repositories and starring is coordinated on a cybercrime-linked Telegram channel and criminal marketplaces. WIRED previously reported on other GitHub black markets.

The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe’s Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.

The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.

“We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” says Alexis Wales, vice president of security operations at GitHub. “We have teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.”

GitHub has more than 100 million users who have contributed over 420 million repositories on the platform. Given the breadth of the platform, it’s unsurprising that cybercriminals and hackers are attempting to abuse it. In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.

The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,” one translated post says. The Check Point research says the network could have started operating as early as August 2022 and may have made as much as $100,000—from mid-May to mid-June this year, they estimate the operator made around $8,000.

Terefos says, in some instances, he has seen a legitimate code repository being changed by the threat actor, potentially using stolen credentials, and turned into a malicious one. If legitimate users fork a malicious repository, it has the potential to spread the code, Terefos says. The reverse malware engineer adds that he has automated the search for accounts linked to the network and is able to identify them based on common features, such as repositories using similar templates and tags. Some of the repositories seen by WIRED use variations on “instagram-follower” and “youtube-views” tags, with the names changed based on the software the page alleges to offer.

“Users of GitHub, and especially inexperienced users, can easily download malicious code, which can often be the result of fictitious reviews and starring,” says Jake Moore, global cybersecurity adviser at security firm Eset. “Telltale signs of malicious code on GitHub could also be unexpected or suspicious code changes, code that accesses external resources, and specific hard-coded credentials or API keys.”

Terefos says the activity of the network—staring and watching pages—is likely automated, as he saw repositories being acted upon in quick succession. “I don’t think they’re clicking, doing like manual work.” For GitHub, Terefos says, it may be difficult to identify this activity, as the behavior of the accounts is intended to look like a genuine GitHub user. Wales, from GitHub, says the company uses a combination of manual reviews and “at-scale detections” that use machine learning to identify suspicious activity

The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.