Cybersecurity firm Checkmarx has uncovered a large-scale software supply chain attack on GitHub, dubbed "RepoStorm." The campaign, active since at least mid-May 2024, has leveraged artificial intelligence to create and promote over 300 malicious repositories designed to trick users into downloading information-stealing malware.
The threat actors created fake repositories that impersonated a wide range of assets, from developer tools and cracked software to cheats for popular games like Roblox, Fortnite, and Grand Theft Auto V. According to the Checkmarx report, AI was likely used to generate convincing repository names, detailed README files, and persuasive descriptions, allowing the campaign to operate at a significant scale. Users searching for these tools were lured into downloading ZIP archives that appeared legitimate.
These archives did not contain the promised software. Instead, they delivered well-known malware payloads, primarily information stealers such as Lumma, Vidar, and RedLine Stealer. Once executed, this malware is designed to harvest sensitive data from a victim's machine, including browser history, saved credentials, cookies, and cryptocurrency wallet information. In some instances, the repositories were also found to distribute Remote Access Trojans (RATs).
The campaign targets a broad audience, from individual developers and gamers to employees who might download these tools on corporate devices, creating a risk of business network compromise. The use of AI to generate plausible content makes it more difficult for users to distinguish malicious repositories from legitimate ones. Following the disclosure from Checkmarx, GitHub has reportedly removed most of the identified malicious repositories. Security professionals advise users to only download software from official, verified sources and to be highly skeptical of repositories offering cheats or pirated applications.
