Sophos uncovered a widespread campaign involving backdoored GitHub repositories, primarily targeting game cheaters and novice threat actors, with numerous types of complex backdoors used for malware delivery. This operation appears to be part of a larger distribution-as-a-service network linked to long-standing cybercriminal infrastructure. #SakuraRAT #GitHubBackdoors
Keypoints
- Cybercriminals are injecting backdoors into open source repositories, including GitHub and NPM packages.
- Sophos identified four types of backdoors used in the campaign targeting game cheats and inexperienced hackers.
- The campaign is linked to a long-running distribution-as-a-service operation with multiple malware families.
- The repositories often show signs of extensive activity, such as high commit counts and related aliases.
- attackers are creating backdoored projects at scale, potentially taking code from various sources and combining it into malicious repositories.