Hackers Turn GitHub into Malware Hotel

Hackers Turn GitHub into a Free Malware Hotel

Researchers have spotted cyber‑crooks abusing public GitHub repositories as free, trustworthy‑looking hosting for malware. The gang, nicknamed “GrokRAT” by Trend Micro, uploads innocent‑looking projects that actually hide an encrypted Remote‑Access Trojan. Victims receive a phishing email with a link to the repo’s raw file; a PowerShell one‑liner pulls the script straight from GitHub, sidestepping most web filters. Once installed, the RAT phones home—also via GitHub—using Issues and Pull Requests as covert command‑and‑control channels. The tactic avoids paying for infrastructure and blends traffic into normal developer noise. GitHub has removed the offending repos, but the researchers warn the idea will spread.

GitHub: the place for open‑source heroes, bad code rants… and now discount RAT accommodation.
What’s happened?

Trend Micro’s boffins have uncovered a campaign dubbed “GrokRAT” where crooks stash nasty scripts in public GitHub repositories. Because GitHub is about as trustworthy as tea at 4 pm, corporate firewalls wave the traffic straight through.

How the con works
1. Phishing email – “Oi, view this invoice” (classic).
2. PowerShell one‑liner – grabs a raw file from GitHub.
3. Hidden payload – encrypted RAT melts into memory, steals logins, snaps screenshots.
4. C2 by pull request – the malware polls GitHub Issues for commands, so it all looks like normal dev chatter.

Why it’s sneaky
No shady domain names, no dodgy VPS bills. Everything rides on Microsoft’s infrastructure and blends into port 443 like any other Git pull.
What you should do
• Block outbound PowerShell where possible.
• Enable GitHub domain reputational filtering or deep packet inspection.
• Treat any unsolicited repo link like week‑old sushi.
If the only “developer” in Accounting suddenly loves GitHub, ask questions.