Developers can never be too careful as a network of more than 3,000 malicious accounts were discovered on GitHub as a part of a distribution-as-a-service (DaaS) that aims to distribute malicious links and malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
In a July 24 blog post, Check Point Research tracked the threat group behind the DaaS service as Stargazer Goblin, which operates and maintains the Stargazers Ghost Network and links via GitHub accounts that appear legitimate.
The researchers noted that bad actors in the past would distribute malicious software directly on GitHub by downloading either raw encrypted scripting code or malicious executables.
Their tactics have evolved. Stargazer Goblin operates a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives. This network distributes malware and also does forking, starring, and watches for malicious repositories, creating the illusion that it’s a safe site.
“The Stargazers Ghost Network appears to be only one part of the grand picture, with other Ghost accounts operating on different platforms, constructing an even bigger DaaS universe,” said the researchers.
The Stargazers Ghost Network presents a significant threat to organizations by exploiting GitHub's reputation to distribute malware through seemingly legitimate repositories, said Sarah Jones, cyber threat intelligence research analyst at Critical Start. Jones said this tactic can lead to severe consequences, including data breaches, financial losses, and reputational damage.
“The network's ability to potentially introduce malicious code into the software supply chain is particularly concerning for organizations that rely heavily on open-source components,” said Jones.
To protect against these threats, Jones said organizations must adopt a multi-faceted approach, which includes conducting thorough code reviews and security testing, leveraging static and dynamic analysis tools, implementing strong access controls, and monitoring repository activity. The use of a Software Bill of Materials (SBOM) can enhance transparency and facilitate the identification of vulnerabilities. Teams must also regularly update open-source dependencies and stay informed about known vulnerabilities are crucial practices. Additionally, fostering a security-aware culture among developers can significantly bolster an organization's defenses.
Balazs Greksza, threat response lead at Ontinue, pointed out that security teams shouldn’t need to do anything because random code will not appear on their software distributions. This situation is not a typical enterprise threat — it’s likely through Discord distribution — noted Greksza.
“Our team dug into some of the accounts and there isn't any content, which tells us that the operation was successfully taken down,” said Greksza. “That said, if they have automation, there’s a possibility that they’ll retry other accounts to look for new victims.”
Just like click farms can artificially increase social media followers, give fake ratings on Amazon, or pad book reviews, the same can be true with GitHub metrics where there's no way to really distinguish between an authentic and authentic engagement with a repository, pointed out John Bambenek, president of Bambenek Consulting.
"Separating out the chain of attack among multiple accounts [on GitHub] is a great way the attackers have found to maintain the cadence of their attacks," said Bambenek. "Unfortunately, this really is only a problem that GitHub can solve."