Nearly 300 Fake GitHub Repositories Distributing BoryptGrab Malware

Nearly 300 Fake GitHub Repositories Distributing BoryptGrab Malware

First seen 16 Jul 2026, 09:23 UTC www.heise.dewww.clubic.com 71% similarity 67.5

Article Content

Browse articles
ThreatCluster

Since late June 2026, nearly 300 fake GitHub repositories have been created, impersonating well-known software brands to distribute malware. The malware, a variant of BoryptGrab, targets Windows systems and is designed to steal credentials from various applications, including web browsers and cryptocurrency wallets. The attack employs social engineering tactics, with victims misled into downloading a ZIP file containing the malware. Security researchers from Arctic Wolf discovered the campaign after identifying a fake repository posing as their own brand. Most of the malicious repositories have been removed by GitHub, but some may still be active, posing ongoing risks. The attack highlights the dangers of brandjacking and the effectiveness of social engineering in cybersecurity threats.

Key Points: • Nearly 300 fake GitHub repositories have been identified, spreading malware. • The malware, BoryptGrab, targets credentials from web browsers and crypto wallets. • Most malicious repositories have been removed, but some may still be operational.

ThreatCluster AI

Timeline

2026-06-30
Fake repository created impersonating Arctic Wolf
A repository named Arctic-Wolf-Security was created, leading to the discovery of the broader campaign.
Clubic
2026-07-16
Discovery of nearly 300 fake repositories
Arctic Wolf researchers identified 292 fake GitHub repositories distributing BoryptGrab malware.
Heise
Recent
Most fake repositories removed by GitHub
Following reports, GitHub has taken down the majority of the identified malicious repositories.
Heise

Community

Browse all →