The threat involves a sophisticated malware campaign orchestrated by the group known as Banana Squad, which leverages GitHub as a distribution platform for malicious Python code disguised as legitimate hacking tools. The campaign uses 67 distinct GitHub repositories, each typically hosted by a single account, likely created solely for malicious purposes. These repositories mimic benign open-source projects to evade suspicion. The attackers exploit GitHub's interface by embedding backdoor code concealed within long space strings, rendering the malicious payload invisible during normal code review. Additionally, the Python files employ encoding techniques to obscure the payload delivery functions, further complicating detection. This approach represents an evolution in open-source software supply chain attacks, shifting towards more covert tactics that exploit trusted platforms like GitHub. The campaign includes indicators such as suspicious domains (e.g., 1312services.ru and dieserbenni.ru) used for command and control or payload delivery. The tactics align with MITRE ATT&CK techniques including supply chain compromise (T1587.001), software supply chain (T1608.001), repository creation (T1588.001), command and control via web services (T1102), user execution (T1204), and obfuscated files or information (T1027). The campaign does not require prior authentication to access the repositories, increasing its potential reach among developers who might unknowingly incorporate trojanized code into their projects. No known exploits in the wild have been reported yet, but the stealthy nature and supply chain vector pose significant risks to software integrity and trust.

For European organizations, especially those relying heavily on open-source Python libraries and tools from GitHub, this campaign poses a substantial risk to software supply chain integrity. The insertion of backdoors and trojanized code can lead to unauthorized access, data exfiltration, and potential lateral movement within corporate networks. Compromised developer environments could propagate malicious code into production systems, affecting confidentiality, integrity, and availability of critical applications. The stealth techniques used make detection difficult, increasing the likelihood of prolonged undetected presence. This threat could impact sectors with strong software development dependencies, including finance, telecommunications, and critical infrastructure. Additionally, the use of Russian-based domains for command and control may raise geopolitical concerns, potentially targeting organizations involved in sensitive or strategic projects. The campaign’s medium severity reflects the balance between the covert delivery method and the requirement for developers to incorporate the malicious code, but the potential for widespread supply chain contamination elevates the overall risk profile for European entities.

1. Implement strict repository vetting processes: Developers and organizations should avoid using code from single-repository accounts and verify the legitimacy of repositories by checking contributor history, repository age, and community engagement. 2. Employ automated code scanning tools with enhanced heuristics to detect obfuscated code and unusual whitespace patterns that may indicate hidden payloads. 3. Integrate supply chain security solutions such as Software Composition Analysis (SCA) to monitor dependencies for trojanized or suspicious packages. 4. Monitor network traffic for connections to suspicious domains like 1312services.ru and dieserbenni.ru, and block or alert on such communications. 5. Educate developers on the risks of blindly trusting open-source repositories and encourage multi-source verification before incorporating external code. 6. Use GitHub’s security features such as Dependabot alerts and repository vulnerability scanning to identify potential risks early. 7. Establish internal policies to restrict the use of unvetted third-party code in production environments. 8. Maintain updated incident response plans that include supply chain compromise scenarios to enable rapid containment if malicious code is detected.