Network of 200 GitHub Repositories Used for Malware Infection
A threat actor has created a network of over 200 GitHub repositories that distribute Windows malware via a malicious Go module. This module loads obfuscated PowerShell code that retrieves encrypted payloads from multiple public dead-drop locations to execute various malware types including RATs, infostealers, trojan downloaders, spyware, and cryptominers. The campaign, named Operation Muck and Load, has published over 1,200 versions of the Go module since January 2026, with more than half being malicious. The malware delivery uses multiple public platforms for payload hosting to ensure operational resilience and evades script execution policies. The repositories serve both as lures and direct malware delivery mechanisms. The campaign overlaps with previously observed threat actor activity linked to specific email addresses and domains.
AI Analysis
Technical Summary
Operation Muck and Load is a malware campaign involving 222 GitHub repositories across 190 accounts that distribute a malicious Go module. This module masquerades as a DNS/subdomain scanning tool but executes hidden PowerShell commands that fetch encrypted payloads from public dead-drop locations such as Pastebin, YouTube, Instagram, Telegram, Google Docs, and GitCode. The payloads include various Windows malware families like AsyncRAT, Quasar RAT, Remcos-style RAT, Vidar infostealer, trojan loaders, spyware, and Monero cryptominers. The threat actor uses GitHub Actions workflows to generate numerous timestamped commits, resulting in over 1,200 published versions, 700 of which are malicious. The malware execution chain decrypts and extracts password-protected archives to run the final payloads, employing multiple mirrored sources for resilience. Some repositories embed malware directly in source trees or release assets. The campaign is linked to prior activity associated with the 'ischhfd83' email address and Muck-themed domains.
Potential Impact
The campaign enables widespread distribution of various Windows malware types, including remote access trojans, infostealers, spyware, trojan downloaders, and cryptominers. This can lead to unauthorized access, data theft, system compromise, and resource abuse on infected Windows systems. The use of public dead-drop locations and multiple mirrored payload sources increases the campaign's resilience and complicates detection and takedown efforts. The large number of malicious Go module versions increases the risk of infection for users who download or depend on these repositories or modules.
Mitigation Recommendations
No official patch or remediation is applicable as this is a malware campaign leveraging public GitHub repositories and open source modules. Organizations and developers should avoid using or downloading Go modules from untrusted or suspicious GitHub repositories, especially those masquerading as legitimate tools. Security teams should monitor for the presence of the described malicious Go modules and PowerShell execution patterns in their environments. GitHub repository owners should review and remove any compromised repositories. Users should apply standard endpoint protection and malware detection controls to identify and block the described malware families. Since this is not a vulnerability in software but a malware distribution campaign, vendor patching does not apply.
Network of 200 GitHub Repositories Used for Malware Infection
Description
A threat actor has created a network of over 200 GitHub repositories that distribute Windows malware via a malicious Go module. This module loads obfuscated PowerShell code that retrieves encrypted payloads from multiple public dead-drop locations to execute various malware types including RATs, infostealers, trojan downloaders, spyware, and cryptominers. The campaign, named Operation Muck and Load, has published over 1,200 versions of the Go module since January 2026, with more than half being malicious. The malware delivery uses multiple public platforms for payload hosting to ensure operational resilience and evades script execution policies. The repositories serve both as lures and direct malware delivery mechanisms. The campaign overlaps with previously observed threat actor activity linked to specific email addresses and domains.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation Muck and Load is a malware campaign involving 222 GitHub repositories across 190 accounts that distribute a malicious Go module. This module masquerades as a DNS/subdomain scanning tool but executes hidden PowerShell commands that fetch encrypted payloads from public dead-drop locations such as Pastebin, YouTube, Instagram, Telegram, Google Docs, and GitCode. The payloads include various Windows malware families like AsyncRAT, Quasar RAT, Remcos-style RAT, Vidar infostealer, trojan loaders, spyware, and Monero cryptominers. The threat actor uses GitHub Actions workflows to generate numerous timestamped commits, resulting in over 1,200 published versions, 700 of which are malicious. The malware execution chain decrypts and extracts password-protected archives to run the final payloads, employing multiple mirrored sources for resilience. Some repositories embed malware directly in source trees or release assets. The campaign is linked to prior activity associated with the 'ischhfd83' email address and Muck-themed domains.
Potential Impact
The campaign enables widespread distribution of various Windows malware types, including remote access trojans, infostealers, spyware, trojan downloaders, and cryptominers. This can lead to unauthorized access, data theft, system compromise, and resource abuse on infected Windows systems. The use of public dead-drop locations and multiple mirrored payload sources increases the campaign's resilience and complicates detection and takedown efforts. The large number of malicious Go module versions increases the risk of infection for users who download or depend on these repositories or modules.
Mitigation Recommendations
No official patch or remediation is applicable as this is a malware campaign leveraging public GitHub repositories and open source modules. Organizations and developers should avoid using or downloading Go modules from untrusted or suspicious GitHub repositories, especially those masquerading as legitimate tools. Security teams should monitor for the presence of the described malicious Go modules and PowerShell execution patterns in their environments. GitHub repository owners should review and remove any compromised repositories. Users should apply standard endpoint protection and malware detection controls to identify and block the described malware families. Since this is not a vulnerability in software but a malware distribution campaign, vendor patching does not apply.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/","fetched":true,"fetchedAt":"2026-07-10T08:02:31.542Z","wordCount":1104}
Threat ID: 6a50a71768715ace43411fc5
Added to database: 07/10/2026, 08:02:31 UTC
Last enriched: 07/10/2026, 08:02:39 UTC
Last updated: 07/10/2026, 08:09:22 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.