📣 Send us your press release
Site updates every 15 minutes
Technology

Over 200 GitHub Repositories Found Hosting Malware, Including Remote Access Trojans

Security firm Socket has revealed a large-scale malware campaign dubbed 'Muck and Load,' utilizing over 200 GitHub repositories to distribute various malicious software, including RATs and cryptominers.

11 July 2026
Over 200 GitHub Repositories Found Hosting Malware, Including Remote Access Trojans
Image is an AI-generated illustration

Security researchers have uncovered a significant malware campaign, codenamed 'Muck and Load,' that has been actively distributing malicious software through over 200 code repositories on GitHub. The campaign, which began in early 2026, uses a Go module disguised as a DNS and subdomain scanning tool to deploy a variety of Windows malware, including Remote Access Trojans (RATs), info-stealers, and cryptocurrency miners.

One implicated malicious Go module, initially presented as a legitimate open-source project named 'dnsub-scanning-tool,' exhibited an unusually rapid versioning history. The module published over 1,200 versions in just a few months, with over 700 identified as malicious. Attackers reportedly manipulated GitHub Actions workflows to artificially inflate the version count, creating a false impression of legitimate development.

The malware employs a sophisticated distribution method. After execution, it downloads an encoded file and uses Windows' built-in certutil tool to decode it into a PowerShell script. This script then uses a 'Dead Drop Resolver' technique to retrieve the actual payload location from various public platforms such as Pastebin, Lum, Telegram, and Google Docs. This approach allows attackers to quickly change payload URLs without altering the initial infection vector.

Socket's investigation linked this campaign to a previously disclosed GitHub backdoor operation by Sophos in June 2025, which shared similar indicators, including a specific email address and domain names. While GitHub and the Go security team have not issued official statements, the malicious modules have been blocked from the Go module proxy. Developers are advised to exercise caution with suspicious packages, especially those claiming to offer cryptocurrency tools or game cheats.

Original source: ithome.com