 [Nate Nelson, Contributing Writer](/author/nate-nelson)June 20, 2025 4 Min Read  Source: Araki Illustrations via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github&title=Hackers%20Post%20Dozens%20of%20Malicious%20Copycat%20Repos%20to%20GitHub)[](mailto:?subject=Hackers Post Dozens of Malicious Copycat Repos to GitHub&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Hackers%20Post%20Dozens%20of%20Malicious%20Copycat%20Repos%20to%20GitHub%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fdozens-malicious-copycat-repos-github) Cybercriminals continue to sneak malicious repositories onto GitHub.Typosquatting, dependency confusion, and other types of cyberattacks precipitated through malicious packages are old and common tricks seen constantly on platforms like [npm](https://www.darkreading.com/application-security/npm-manifest-confusion-malware-hiding-weakness) and the [Python Package Index (PyPI)](https://www.darkreading.com/threat-intelligence/citrine-sleet-poisons-pypi-packages-mac-linux-malware). According to ReversingLabs, cases have actually been declining precipitously. At the same time, though, threat actors are finding new paths for performing similar kinds of attacks.’As a result of the community catching on, threat actors are developing less-noticeable techniques in the hopes of staying hidden longer,’ says Robert Simmons, principal malware researcher at ReversingLabs. For example, he says, ‘-[We’ve-] spotted malicious campaigns and techniques on GitHub, but not as frequently as discoveries made on PyPI and npm. These malicious discoveries on GitHub also tend to be more sophisticated in nature.’ In one recent campaign, a threat actor posted [67 malicious, copycat repositories](https://www.reversinglabs.com/blog/threat-actor-banana-squad-exploits-github-repos-in-new-campaign) to GitHub, in the hopes of ensnaring passersby who thought they were downloading known hacking tools. Typosquatting on GitHub———————–The threat actor commonly known as ‘Banana Squad’ started off working with maliciousPython packages and later moved to GitHub. In 2023, the group began publishing hundreds of malicious Python packages to the web, attracting nearly 75,000 downloads before they were all finally identified and taken down. Then, in 2024, researchers spotted a malicious repository targeting Steam users with an infostealer that the group had published to GitHub. Loading…==========Related:[Iran-Israel War Triggers a Maelstrom in Cyberspace](/threat-intelligence/iran-israel-war-maelstrom-cyberspace)Its latest campaign involved nearly 70 malicious repositories. Each was made to appear like a Python-based hacking tool, with identical names and files that mimicked other, legitimate GitHub repositories.To conceal its malware, Banana Squad took advantage of a mundane aspect of the GitHub user interface. When reviewing code, a particularly long line won’t simply wrap down to a new line — it will extend ad infinitum to the right of a user’s screen. In this and its previous GitHub campaign, Banana Squad added an excessive number of empty spaces to the end of a legitimate-looking line of code and simply appended their malicious code at the end of it, out of view. ReversingLabs was unable to identify anything material about the concealed payload or about how many times the malicious packages might have been forked.A Positive Trend in Package Security————————————Code packages are an ideal vector for cyberattacks. It’s quick and easy to publish one to a major package manager, then simply sit back and wait for prey to bite. Developers use tons of packages, and the installation process is quick and automated, so only diligent or paranoid developers might take the time to carefully analyze whether the code they’re depending on is legitimate or not. In the end, even just one infected package can potentially reach thousands of developers and the programs they build, which in turn puts the companies that rely on those programs — and potentially innumerable customers, too — in jeopardy.Related:[Hacking the Hackers: When Bad Guys Let Their Guard Down](/threat-intelligence/hacking-hackers-bad-guys-guard-down)As the world’s most popular platform for [open source software (OSS)](https://www.darkreading.com/threat-intelligence/-crystalray-attacks-jump-10x-using-only-oss-steal-credentials), GitHub will always be an attractive target for threat actors. But comparatively speaking, GitHub repositories are less efficient than packages are. As a developer, working with repositories involves more steps and is more manual by nature. A potential target must find a [malicious repository](https://www.darkreading.com/application-security/millions-of-malicious-repositories-flood-github), trust it, clone it, then integrate it into one’s project, a process that typically involves some code review along the way. If threat actors like Banana Squad are moving from package registries to source code repositories, it might be because those registries are getting better at handling them.’In the past couple of years, several OSS repositories have taken steps to increase security on their platforms, such as PyPI enforcing mandatory two-factor authentication (2FA) for all users. We suspect that this contributed to the decline in instances of malicious OSS packages across major OSS repositories,’ Simmons explains. He adds that ‘the OSS developer community has become much more privy to malicious packages on these platforms, making it even more difficult for attackers to carry out a successful campaign that isn’t short-lived.’Related:[Infostealer Ring Bust-up Takes Down 20,000 Malicious IPs](/threat-intelligence/infostealer-ring-bust-20000-malicious-ips)The result: ReversingLabs has found that malicious packages detected on npm, PyPI, and Ruby package manager RubyGems declined a full 70% between 2023 and 2024.’However, this isn’t to say that OSS risk is declining in general, and incidents of malicious OSS package discoveries still happen on a weekly, if not daily basis,’ Simmons warns. ‘One example: Leaked software development secrets, such as sensitive credentials and API tokens, saw a 12% increase on the same OSS platforms between 2023 and 2024 — even as the number of malware incidents dropped. Also, vulnerabilities across OSS packages are getting more severe, and code rot (a reliance on old, unmanaged, and out-of-date code) is widely prevalent among these packages.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github&title=Hackers%20Post%20Dozens%20of%20Malicious%20Copycat%20Repos%20to%20GitHub)[](mailto:?subject=Hackers Post Dozens of Malicious Copycat Repos to GitHub&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Hackers%20Post%20Dozens%20of%20Malicious%20Copycat%20Repos%20to%20GitHub%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fdozens-malicious-copycat-repos-github) About the Author—————- [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=drwebbutton) More Insights Webinars* [The Rising Role of Machine Learning and Artificial Intelligence in Enterprise Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_palo304&ch=SBX&cid=_upcoming_webinars_8.500001571&_mc=_upcoming_webinars_8.500001571)Jun 24, 2025* [Securing the Hybrid Workforce: Challenges and Solutions](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_okta40&ch=SBX&cid=_upcoming_webinars_8.500001569&_mc=_upcoming_webinars_8.500001569)Jun 25, 2025* [The State of Software Supply Chain Security: Priorities, Progress -& Persistent Gaps](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_bits18&ch=SBX&cid=_upcoming_webinars_8.500001567&_mc=_upcoming_webinars_8.500001567)Jun 26, 2025* [Think Like a Cybercriminal to Stop the Next Potential Attack](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cmdc03&ch=SBX&cid=_upcoming_webinars_8.500001572&_mc=_upcoming_webinars_8.500001572)Jul 22, 2025* [The DOGE-effect on Cyber: What’s happened and what’s next?](https://www.brighttalk.com/webcast/18975/628444?utm_source=brighttalk-darkreading&utm_medium=web&utm_campaign=curation04242025&cid=_upcoming_webinars_8.500001554&_mc=_upcoming_webinars_8.500001554)Jul 24, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***[Threat IntelligenceNation-State Threats Put SMBs in Their Sights](https://www.darkreading.com/threat-intelligence/nation-state-threats-smb) [Threat IntelligenceMITRE EMB3D for OT -& ICS Threat Modeling Takes Flight](https://www.darkreading.com/threat-intelligence/mitre-emb3d-ot-ics-threat-modeling) [Threat Intelligence’Darcula’ Phishing Kit Can Now Impersonate Any Brand](https://www.darkreading.com/threat-intelligence/darcula-phishing-kit-impersonate-brand) [Threat IntelligenceCyber Insurance: A Few Security Technologies, a Big Difference in Premiums](https://www.darkreading.com/threat-intelligence/cyber-insurance-security-technologies-premiums)
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Dark Reading
Phishing
Software Discovery: Security Software Discovery
Software Discovery
Associated Indicators: