FakeGit: GitHub malware campaign hits 600+ repos | 2026

Executive Summary

A Vietnamese-speaking threat actor has been distributing FakeGit, a GitHub-based malware campaign, since March 2025, using more than 600 confirmed malicious ZIP archives across 47+ GitHub accounts to deliver a LuaJIT-based loader chain that ultimately drops StealC. The repositories impersonate SaaS cracks, gaming cheats, developer utilities, and other lures while shipping working tools bundled with malware. As of March 4, 2026, at least 25 accounts remained active according to the researcher. For defenders, the key point is that this campaign targets developer and power-user trust in GitHub repos, then uses a resilient command-and-control design and GitHub dead drops to maintain delivery at scale.

What happened?

• March 2025: earliest confirmed FakeGit ZIP samples appear on VirusTotal, shortly after supporting infrastructure was registered.
• 2025–2026: the operator distributed trojanized repositories across GitHub accounts posing as SaaS utilities, cheats, cracked browser extensions, and developer tooling.
• January 2026: URLhaus first detected part of the campaign, roughly 10 months after it began.
• February 2026: the actor introduced a newer 878KB trojanized LuaJIT binary and a second Polygon smart contract for C2 resolution.
• March 4, 2026: the research identified 600+ unique malicious ZIPs, 47+ GitHub accounts, and 25 active accounts still online.
• Reported with strong evidence: the same operator appears responsible across multiple lure categories because the inner malware components were byte-identical even when ZIP packaging and repo themes differed.
• Not fully confirmed publicly: total victim count remains unknown, and the exact number of compromised developer accounts may still grow as more repos are uncovered.

Who is affected?

The most likely affected users are developers, IT staff, students, gamers, and SaaS users who downloaded tools from GitHub repos that appeared functional or legitimate.

Likely exposure groups

• Developers searching GitHub for utilities, automation kits, PoCs, or workflow helpers
• SaaS users looking for cracked extensions for tools such as Jira, Asana, Todoist, Trello, Notion, Slack, and Zoom
• Gamers downloading cheats, injectors, scripts, and enhancement tools
• Users willing to sideload unpacked browser extensions after following README instructions or linked tutorial videos

Exposure paths

• Downloading ZIP archives from attacker-controlled GitHub repositories
• Running bundled executables such as trojanized LuaJIT binaries
• Loading unpacked browser extensions after enabling Chrome Developer Mode
• Retrieving second-stage payloads from GitHub dead-drop repositories during execution

The campaign is notable because it combines public GitHub trust, working lure tooling, and operationally resilient threat intelligence evasion techniques.

Initial access & kill chain (MITRE-friendly)

This campaign begins with GitHub as the initial access channel rather than phishing or exploit-driven intrusion.

Observed kill chain

1. Initial access
   Victims discover and download a lure repository on GitHub.
2. Execution
   A trojanized LuaJIT executable runs the bundled Lua payload.
3. C2 resolution
   The loader queries a Polygon smart contract to retrieve the current C2 endpoint.
4. Payload retrieval
   Additional encrypted blobs are fetched from GitHub dead-drop repos and decrypted through layered routines.
5. Defense evasion
   Obfuscation, runtime string assembly, and shifting infrastructure reduce static detection.
6. Collection / credential theft
   The chain ultimately deploys StealC, an information stealer aimed at browser and user data.
7. Actions on objectives
   Stolen credentials, session material, and system data can be monetized or reused for follow-on compromise.

Example MITRE ATT&CK mapping

Phase	Observed behavior	ATT&CK theme
Initial Access	GitHub-hosted trojanized repos and lure ZIPs	Supply chain / user execution
Execution	LuaJIT binary launches obfuscated Lua payload	Script execution
Command & Control	Smart-contract-based C2 resolver + live IP rotation	Web-based C2
Defense Evasion	VM-based obfuscation, runtime string assembly, dead drops	Obfuscated files / information
Payload Delivery	GitHub dead-drop repos serve encrypted blobs	Ingress tool transfer
Credential Access	StealC infostealer deployment	Credential theft
Collection	Browser, host, and user data collection	Collection

Indicators and detection

EDR

• Hunt for luajit.exe, lua.exe, vm_s390x.exe, init.exe, or luad.exe launched from recently extracted ZIP directories
• Look for unsigned or low-reputation binaries executing from user download folders, temp paths, or unpacked extension directories
• Review process chains where GitHub-downloaded archives spawn LuaJIT runtimes followed by network beacons or credential access activity
• Hunt for StealC-related follow-on behaviors, including browser data access, credential store access, and suspicious archive/decryption routines

Email security

• Email is not the primary initial vector here, but security teams should still monitor for internal sharing of GitHub links tied to cracked tools, cheats, or “free premium” SaaS utilities

Identity / SSO

• Monitor for unusual session reuse, impossible travel, MFA fatigue, or token abuse after suspected endpoint exposure
• Review developer and privileged accounts for suspicious login activity after tools were downloaded from GitHub

Network / proxy / DNS

• Monitor outbound connections to newly observed IP-based infrastructure shortly after execution of downloaded tooling
• Hunt for connections to GitHub repos used as dead drops as well as unusual traffic tied to malware retrieval chains
• Watch for clients reaching raw IPs resolved indirectly from blockchain-backed infrastructure rather than stable domains

Example detection pattern (Splunk SPL — example pattern)

index=edr OR index=sysmon
(Image="*\\luajit.exe" OR Image="*\\lua.exe" OR Image="*\\vm_s390x.exe" OR Image="*\\luad.exe" OR Image="*\\init.exe")
(CommandLine="*github*" OR CurrentDirectory="*Downloads*" OR CurrentDirectory="*Temp*")
| stats count min(_time) as firstSeen max(_time) as lastSeen by host, user, Image, CommandLine, ParentImage

Additional things to hunt

• Repositories or ZIPs with AI-generated READMEs pointing all links to the same archive
• ZIPs containing oddly named single folders with rare English words or unusual technical nouns
• GitHub-related downloads followed by execution of Lua runtimes or browser data theft behavior
• Unpacked browser extension installs sourced from unofficial repos

Containment & remediation checklist

🔴 Immediate containment (0–24h)

• Identify endpoints where users downloaded tools from untrusted GitHub repos matching the campaign themes
• Quarantine hosts that executed trojanized LuaJIT binaries or associated archives
• Reset credentials for users who executed suspicious GitHub-hosted tooling
• Revoke active sessions and refresh tokens for exposed developer and admin accounts
• Block known campaign IOCs, malicious repos, and dead-drop URLs at proxy/DNS layers
• Remove sideloaded or unpacked browser extensions installed from unofficial repositories
• Preserve forensic artifacts including ZIP files, extracted folders, running binaries, and network telemetry
• Hunt for StealC follow-on activity on exposed endpoints
• Notify users not to download cracked SaaS add-ons, cheats, or GitHub-hosted “premium unlock” utilities

🟠 Hardening (24–72h)

• Enforce application allowlisting for developer endpoints where feasible
• Tighten browser extension controls and disallow unmanaged unpacked extension installs
• Review GitHub usage policy for software acquisition and PoC execution on corporate devices
• Add detections for GitHub-sourced executable launches from user space
• Increase monitoring on developer workstations and build environments
• Review secrets exposure risk for users who ran suspicious utilities on engineering systems
• Audit SSO, VPN, code repository, and cloud-console access for credential replay
• Add campaign hashes and behavioral indicators to EDR and YARA pipelines

🟡 Longer-term controls (1–4 weeks)

• Treat public code-sharing platforms as a malware delivery channel in software acquisition policy
• Build a vetted workflow for evaluating GitHub tools in sandboxed environments before internal use
• Expand incident response playbooks for developer-targeted malware and repository trust abuse
• Segment high-value developer environments from business-user workstations
• Improve developer security awareness around GitHub repo trust, fake PoCs, and cracked tooling lures
• Centralize detection for browser credential theft and infostealer post-compromise behavior
• Review whether source-code repos, package registries, and personal access tokens need stronger protections
• Establish periodic hunts for malware distributed through developer ecosystems and public repositories

Strategic analysis (what this signals)

FakeGit matters because it shows how GitHub remains a highly effective malware distribution channel when attackers mix functional lures with polished packaging and low-friction execution paths. This was not a single throwaway repo but an operational campaign sustained for roughly a year, with repeated malware evolution, multiple infrastructure generations, and hundreds of delivery artifacts.

The campaign also highlights a broader trend: infostealer operators increasingly target developers, power users, and technically curious victims through ecosystems they trust. Rather than relying only on phishing, they abuse code-sharing platforms, trojanized utilities, and cracked extensions. The use of blockchain-backed C2 resolution is particularly important because it gives the operator a resilient way to rotate infrastructure without rebuilding the deployed malware.

For defenders, the message is straightforward: GitHub should be treated not only as a software supply source, but also as a monitored malware ingress vector. Mature organizations should combine repository trust guidance, application control, outbound monitoring, and post-execution credential theft detections.

What happened?

A threat actor used hundreds of GitHub repositories to distribute a LuaJIT-based malware chain that eventually deployed the StealC infostealer.

Who is affected?

Users who downloaded and executed trojanized tools, cracked SaaS extensions, gaming cheats, or developer utilities from the malicious repositories are the most likely to be affected.

How do I know if I’m impacted?

Check whether users downloaded suspicious GitHub ZIPs, ran LuaJIT-related binaries, installed unpacked extensions, or showed signs of credential theft and suspicious follow-on logins.

What should I do first?

Quarantine affected endpoints, reset potentially exposed credentials, revoke sessions, and investigate for StealC or related infostealer activity.

Is it still ongoing?

The published research said at least 25 GitHub accounts remained active as of March 4, 2026, so defenders should assume residual risk remains.

Why is this campaign notable?

It combines GitHub trust abuse, blockchain-based C2 resolution, GitHub dead drops, and infostealer delivery at unusual scale.

References

1. derp.ca — FakeGit: LuaJIT malware distributed via GitHub at scale