EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

GitHub comments abused to push password stealing malware masked as fixes

0
Share:

GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments.

The campaign was first reported by a contributor to the teloxide rust library, who noted on Reddit that they received five different comments in their GitHub issues that pretended to be fixes but were instead pushing malware.

Further review by BleepingComputer found thousands of similar comments posted to a wide range of projects on GitHub, all offering fake fixes to other people’s questions.

The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been “changeme” in all the comments we have seen.

Reverse engineer Nicholas Sherlock told BleepingComputer that over 29,000 comments pushing this malware had been posted over a 3-day period.

Clicking on the link brings visitors to a download page for a file called ‘fix.zip,’ which contains a few DLL files and an executable named x86_64-w64-ranlib.exe.

Running the executable on Any.Run indicates it is the Lumma Stealer information-stealing malware

Lumma Stealer is an advanced info stealer that, when executed, attempts to steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.

The malware can also steal cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf, as these are likely to contain private crypto keys and passwords.

This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces.

While GitHub Staff has been deleting these comments as they are detected, people have already reported falling for the attack.

Anyone who mistakenly launched the malware should change the passwords at all of their accounts using a unique password for each site and migrate cryptocurrency to a new wallet.

Last month, Check Point Research disclosed a similar campaign by the Stargazer Goblin threat actors, who created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub to push information-stealing malware.

It is unclear if this is the same campaign or a new one conducted by different threat actors.

Lawrence Abrams

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
2:16 pm, Jun 23, 2025
weather icon 22°C
L: 21° | H: 23°
overcast clouds
Humidity: 40 %
Pressure: 1014 mb
Wind: 18 mph W
Wind Gust: 29 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 95%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:43 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
21° | 23°°C 0 mm 0% 14 mph 53 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
13° | 23°°C 0.2 mm 20% 14 mph 80 % 1016 mb 0 mm/h
Wed Jun 25 10:00 pm
weather icon
16° | 28°°C 0 mm 0% 9 mph 89 % 1013 mb 0 mm/h
Thu Jun 26 10:00 pm
weather icon
17° | 22°°C 1 mm 100% 14 mph 91 % 1017 mb 0 mm/h
Fri Jun 27 10:00 pm
weather icon
14° | 27°°C 0 mm 0% 16 mph 69 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
22° | 22°°C 0 mm 0% 13 mph 38 % 1014 mb 0 mm/h
Today 7:00 pm
weather icon
21° | 21°°C 0 mm 0% 14 mph 39 % 1014 mb 0 mm/h
Today 10:00 pm
weather icon
17° | 17°°C 0 mm 0% 10 mph 53 % 1015 mb 0 mm/h
Tomorrow 1:00 am
weather icon
14° | 14°°C 0 mm 0% 9 mph 68 % 1016 mb 0 mm/h
Tomorrow 4:00 am
weather icon
13° | 13°°C 0 mm 0% 8 mph 80 % 1014 mb 0 mm/h
Tomorrow 7:00 am
weather icon
15° | 15°°C 0 mm 0% 11 mph 75 % 1014 mb 0 mm/h
Tomorrow 10:00 am
weather icon
19° | 19°°C 0 mm 0% 12 mph 63 % 1013 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
20° | 20°°C 0 mm 0% 14 mph 66 % 1013 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€88,516.22
-0.91%
Ethereum(ETH)
€1,970.26
-0.41%
Tether(USDT)
€0.87
0.00%
XRP(XRP)
€1.75
-0.38%
Solana(SOL)
€117.73
1.74%
USDC(USDC)
€0.87
0.01%
Dogecoin(DOGE)
€0.133650
-0.93%
Shiba Inu(SHIB)
€0.000010
1.54%
Pepe(PEPE)
€0.000008
0.09%
Peanut the Squirrel(PNUT)
€0.219411
13.10%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top