A sophisticated cybersecurity threat has emerged, targeting GitHub users with a malicious campaign designed to spread the Lumma Stealer malware. This information-stealing malware is being distributed through deceptive comments on various GitHub projects, masquerading as legitimate bug fixes.
The Anatomy of the Attack
The attack was initially discovered by a contributor to the teloxide rust library, who reported receiving multiple suspicious comments on their GitHub issues. Upon further investigation by cybersecurity experts at Bleeping Computer, thousands of similar comments were identified across numerous GitHub projects.
These malicious comments typically contain links to password-protected archives hosted on mediafire.com or shortened URLs on bit.ly. Users are encouraged to download and execute the files within these archives, unknowingly installing the Lumma Stealer malware on their systems.
Malware Distribution Mechanism
The distributed archive, named “fix.zip,” contains several DLL files and an executable named “x86_64-w64-ranlib.exe.” All examined archives were protected with the password “changeme,” highlighting the attackers’ consistent methodology.
Analysis of the executable using the Any.Run sandbox confirmed it as the Lumma Stealer malware, a potent information-stealing threat.
Scale and Impact of the Campaign
Cybersecurity researcher Nicholas Sherlock reported that over 29,000 malicious comments were published on GitHub within just three days, underscoring the campaign’s alarming scale and rapid deployment.
Lumma Stealer’s Capabilities
Once installed, Lumma Stealer targets a wide range of sensitive information, including:
- Browser data (cookies, credentials, passwords, bank card details, and browsing history) from popular browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox
- Cryptocurrency wallet information and private keys
- Text files potentially containing passwords and private keys (e.g., seed.txt, pass.txt, wallet.txt)
Mitigation and Protection Measures
While GitHub is actively removing malicious comments as they are discovered, many users have already fallen victim to this attack. If you suspect you’ve been affected, take immediate action:
- Change passwords for all your accounts, using unique passwords for each site
- Transfer cryptocurrency to a new, secure wallet
- Run a thorough antivirus scan on your system
- Monitor your accounts for any suspicious activity
This incident serves as a stark reminder of the ever-evolving nature of cyber threats. Users must remain vigilant, especially when interacting with content on collaborative platforms like GitHub. Always verify the source of any executable files or scripts before running them on your system, and maintain up-to-date security software to protect against emerging threats.
