Network of 200 GitHub Repositories Used for Malware Infection
Threat actor "Operation Muck and Load" utilized over 200 GitHub repositories to distribute Windows malware via a deceptive Go module. The malicious module masquerades as a DNS scanning tool, using hidden PowerShell commands to fetch resolvers from public dead drops like Pastebin and YouTube. The attack chain results in the deployment of various threats, including RATs (AsyncRAT, Quasar), infostealers (Vidar), and cryptominers (XMRig). The actor employed automated GitHub Actions workflows to gene
Analysis
TL;DR
- Threat actor "Operation Muck and Load" utilized over 200 GitHub repositories to distribute Windows malware via a deceptive Go module.
- The malicious module masquerades as a DNS scanning tool, using hidden PowerShell commands to fetch resolvers from public dead drops like Pastebin and YouTube.
- The attack chain results in the deployment of various threats, including RATs (AsyncRAT, Quasar), infostealers (Vidar), and cryptominers (XMRig).
- The actor employed automated GitHub Actions workflows to generate hundreds of malicious package versions, evading detection through rapid iteration.
Why It Matters
This incident highlights the growing sophistication of supply chain attacks targeting open-source ecosystems, specifically leveraging the trust developers place in package managers like Go modules. It demonstrates how threat actors exploit public platforms not just for hosting, but as active components in their delivery infrastructure, bypassing traditional security controls by hiding malicious logic within legitimate-looking code structures.
Technical Details
- Deceptive Packaging: The core vector is a Go module disguised as
dnsub, a legitimate DNS/subdomain scanning tool, which serves as a lure to trick developers into importing malicious dependencies. - Obfuscation Techniques: Malicious PowerShell commands are embedded in the Go code using excessive horizontal whitespace to evade static analysis and visual inspection, running before any intended scanning logic.
- Resilient Delivery: The PowerShell script fetches encrypted payload metadata from diverse public dead drops (Pastebin, Rlim, Telegram, Google Docs), allowing the attacker to rotate or update payloads without changing the initial malware binary.
- Automated Distribution: Over 1,200 versions of the package were published since January 24, 2026, with 700 being malicious, generated via automated GitHub Actions workflows creating timestamp-based pseudo-versions to maintain persistence and evade takedowns.
- Final Payloads: The execution chain culminates in the deployment of AsyncRAT, Quasar RAT, Remcos-style RATs, Vidar infostealer, and Monero cryptominers.
Industry Insight
- Enhanced Dependency Auditing: Organizations must implement stricter dependency scanning tools that can detect obfuscated code patterns and unusual behavior in third-party libraries, rather than relying solely on reputation or signature-based checks.
- Supply Chain Vigilance: Developers should verify the integrity of all imported packages, especially those with high version turnover or suspicious commit histories, and avoid blindly trusting popular but potentially compromised repositories.
- Platform Security Collaboration: Cloud providers and code hosting platforms need to improve detection mechanisms for automated abuse workflows and dead-drop integration, as these tactics are becoming standard for resilient malware distribution.
Disclaimer: The above content is generated by AI and is for reference only.