Hackers are spreading the so-called Lumma Stealer malware via fake fixes in tens of thousands of GitHub comments. GitHub is trying to remove the fake fixes, but they are causing victims in the meantime.
According to a developer’s Reddit post to the teloxide rest library on GitHub, he received five different comments in the GitHub issues that turned out to be fake fixes. Worse, these so-called fixes turned out to push the Lumma Stealer malware.
Subsequent investigation by experts revealed that tens of thousands of other discovered comments on GitHub were also abused to push the specific malware. As many as 29,000 fake comments were counted over three days.
Downloading .exe file
The fake comments in question were posted to a range of very different GitHub projects and all offered “fixes” for other people’s problems.
More specifically, the comments call for downloading a password-protected archive from the website mediafire.com. They can also use a bitly URL to download this file and run the .exe file contained therein. The password given in the comments for access is ‘changeme’.
Infostealer of sensitive data
The distributed Lumma Stealer malware is an infostealer that mainly tries to steal cookies, login credentials, passwords and credit card information. It also steals browsing history from browsers such as Chrome, Edge, Firefox and other Chromium-based Web browsers.
Furthermore, the malware also steals crypto wallets, private keys, and text files with extensions such as seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf. These text files often contain crypto keys and passwords.
GitHub has since been busy removing the fake comments. Still, it is very likely that the malware has already taken victims. Potential victims are asked to replace all passwords for accounts. They should also migrate any cryptocurrencies they own to a new wallet.
Also read: Hackers spread malware via URLs in GitHub comments