📣 Send us your press release
Site updates every 15 minutes
Technology

Lumma Infostealer Leverages GitHub for Large-Scale Data Exfiltration

CISA has issued a warning regarding Lumma Infostealer, a rapidly growing malware. Cybersecurity researchers have observed extensive campaigns where Lumma exploits social engineering tactics on GitHub to infiltrate systems and steal sensitive data.

13 July 2026
Lumma Infostealer Leverages GitHub for Large-Scale Data Exfiltration

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about Lumma Infostealer, marking a significant surge in activity since early 2025. The malware, believed to have been active throughout 2024 and into the current year, has been employed in large-scale data exfiltration campaigns. Its operators have been observed leveraging trusted platforms like GitHub to distribute malicious payloads, employing advanced techniques to evade detection.

Lumma Stealer operates as a Malware-as-a-Service (MaaS), making it accessible to a wide range of cybercriminals. First appearing on dark web forums in August 2022, its user base has expanded dramatically. The malware incorporates sophisticated features to evade analysis, including anti-virtual machine capabilities, payload encryption, and the abuse of legitimate system tools through "Living off the Land" techniques.

The primary motivation behind Lumma is financial gain. The malware is designed to harvest credentials, banking information, cryptocurrency wallets, and other personal data from victims. This stolen data can then be sold on underground markets or used for fraudulent activities. The actors behind Lumma appear to be financially driven cybercriminals rather than nation-state actors.

Attackers have systematically used GitHub for initial access. In one observed campaign, developers were tricked into downloading "fixes" for vulnerabilities, which were actually Lumma Stealer payloads. In separate incidents, thousands of fake comments were posted across GitHub projects, directing users to download malware disguised as solutions to reported issues.

Original source: picussecurity.com