Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Network of 200 GitHub Repositories Used for Malware Infection

0
Medium
Malwarewindows
Published: 07/10/2026 (07/10/2026, 08:00:14 UTC)
Source: SecurityWeek

Description

A threat actor has created a network of over 200 GitHub repositories that distribute Windows malware via a malicious Go module. This module loads obfuscated PowerShell code that retrieves encrypted payloads from multiple public dead-drop locations to execute various malware types including RATs, infostealers, trojan downloaders, spyware, and cryptominers. The campaign, named Operation Muck and Load, has published over 1,200 versions of the Go module since January 2026, with more than half being malicious. The malware delivery uses multiple public platforms for payload hosting to ensure operational resilience and evades script execution policies. The repositories serve both as lures and direct malware delivery mechanisms. The campaign overlaps with previously observed threat actor activity linked to specific email addresses and domains.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 08:02:39 UTC

Technical Analysis

Operation Muck and Load is a malware campaign involving 222 GitHub repositories across 190 accounts that distribute a malicious Go module. This module masquerades as a DNS/subdomain scanning tool but executes hidden PowerShell commands that fetch encrypted payloads from public dead-drop locations such as Pastebin, YouTube, Instagram, Telegram, Google Docs, and GitCode. The payloads include various Windows malware families like AsyncRAT, Quasar RAT, Remcos-style RAT, Vidar infostealer, trojan loaders, spyware, and Monero cryptominers. The threat actor uses GitHub Actions workflows to generate numerous timestamped commits, resulting in over 1,200 published versions, 700 of which are malicious. The malware execution chain decrypts and extracts password-protected archives to run the final payloads, employing multiple mirrored sources for resilience. Some repositories embed malware directly in source trees or release assets. The campaign is linked to prior activity associated with the 'ischhfd83' email address and Muck-themed domains.

Potential Impact

The campaign enables widespread distribution of various Windows malware types, including remote access trojans, infostealers, spyware, trojan downloaders, and cryptominers. This can lead to unauthorized access, data theft, system compromise, and resource abuse on infected Windows systems. The use of public dead-drop locations and multiple mirrored payload sources increases the campaign's resilience and complicates detection and takedown efforts. The large number of malicious Go module versions increases the risk of infection for users who download or depend on these repositories or modules.

Mitigation Recommendations

No official patch or remediation is applicable as this is a malware campaign leveraging public GitHub repositories and open source modules. Organizations and developers should avoid using or downloading Go modules from untrusted or suspicious GitHub repositories, especially those masquerading as legitimate tools. Security teams should monitor for the presence of the described malicious Go modules and PowerShell execution patterns in their environments. GitHub repository owners should review and remove any compromised repositories. Users should apply standard endpoint protection and malware detection controls to identify and block the described malware families. Since this is not a vulnerability in software but a malware distribution campaign, vendor patching does not apply.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/","fetched":true,"fetchedAt":"2026-07-10T08:02:31.542Z","wordCount":1104}

Threat ID: 6a50a71768715ace43411fc5

Added to database: 07/10/2026, 08:02:31 UTC

Last enriched: 07/10/2026, 08:02:39 UTC

Last updated: 07/10/2026, 08:09:22 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses