1. SAST Online
  2. Application Security News and Articles
  3. Threat actor Banana Squad exploits GitHub repos in new campaign
Authenticate your profile to see activity

Threat actor Banana Squad exploits GitHub repos in new campaign

Threat actor Banana Squad exploits GitHub repos in new campaign

Trends in open-source software supply chain attacks – ones that exploit the public platforms developers rely on for software development – have changed quite a bit in recent years. While the number of malicious packages uploaded to open-source repositories like npm and the Python Package Index (PyPI) has decreased, the stealth and sophistication of threat actors to pull off less obvious attacks on platforms like GitHub is increasing.

This trend can be seen in a new campaign discovered by the ReversingLabs threat research team, where more than 60 GitHub repositories hosting what at first glance appear to be hacking tools written in Python were actually trojanized look-alikes of other identically named repositories. The adversary behind this campaign, Banana Squad, was first spotted by researchers at Checkmarx in October 2023. The group is named after its earliest malicious domain: bananasquad[.]ru.

In Banana Squad’s original campaign, researchers found that, starting in April 2023, the threat actor was relentlessly deploying hundreds of malicious packages using various usernames. The Windows-based final payloads aimed to steal “extensive amounts of sensitive data,” which include the target’s system, applications, browsers and cryptocurrencies, researchers noted. The malicious packages accumulated close to 75,000 downloads before the campaign was identified and the packages removed.

More recently, a single repository from a Banana Squad campaign, dieserbenni[.]ru, was analyzed by researchers at SANS's Internet Storm Center in November 2024. The researchers discovered trojanized Python files that abuse a UI feature on GitHub in which long lines of code do not wrap to a new line. That allowed the attackers to incorporate a long set of spaces to push the malicious backdoor code content off the screen to the right side, and out of the victim’s view, making it harder to detect visually.

The post Threat actor Banana Squad exploits GitHub repos in new campaign appeared first on Security Boulevard.

18 June 2025


>>More