A threat group dubbed “Banana Squad,” active since April 2023, has trojanized more than 60 GitHub repositories in an ongoing campaign, offering Python-based hacking kits with malicious payloads.
Discovered by ReversingLabs, the malicious public repos each imitate a well-known hacking tool to look legitimate but inject hidden backdoor logic.
“At first glance (they) appear to be hacking tools written in Python (but) were actually trojanized look-alikes of other identically named repositories,” Principal Malware Researcher Robert Simmons said in a blog post. “The repositories were discovered by working backwards from the malicious URL indicators in ReversingLabs’ network threat intelligence dataset.”
Simmons noted that the campaign represents a shift from blatant npm/PyPI knock-offs to more subtle exploitation of platforms like GitHub.
Malware posing as hacking tools
Each of the 67 poisoned repositories found was impersonating a legitimate utility-like credential stealer, vulnerability scanner, or other infosec-themed tools. But these versions come with malicious code stealthily embedded in massive strings, white space gaps, or cryptic logic hidden far off-screen.
“There are many spaces on the trojanized line of code, making it so that even on a large monitor at 4K with a maximized window, the malicious code is not in view,” Simmons said, explaining the Banana Squad. “However, viewing the file in Spectra Analyze’s Preview feature clearly shows what the content is.”
Attackers stuffed harmful Python into a single unreadably long line, hoping users would never scroll far enough to notice.
Banana Squad previously pushed hundreds of Windows-based malware packages to the open-source code ecosystem, including version control systems, PyPI and npm package managers, under multiple aliases. These packages, spotted in April 2023, stole sensitive data, including system details and crypto wallets, and were downloaded nearly 75000 times before takedown.
The campaign had a tell
ReversingLabs observed a few telling signs about the repositories that can help catch the infection at its source. “For the majority of the malicious repositories, the owner only has that (the malicious one) one repository listed under its GitHub account,” Simmons said. “This indicates that these kinds of user accounts are almost certainly fake and created for the express purpose of hosting a malicious repository.”
The repository names were found to be identical to one or more other non-trojanized repositories, indicating some form of typo-squatting at play. Additionally, the “About” section of these repositories was packed with search keywords related to the original repository’s theme and often included an emoji, usually a flame or a rocket ship, hinting at the use of AI.
ReversingLabs shared a list of campaign indicators, including domains, URLs, and filenames, along with all 67 flagged repositories for developers to watch out for.
“For developers relying on these open-source platforms (GitHub), it’s essential to always double-check that the repository you’re using actually contains what you expect,” Simmons cautioned. “However, the best way to avoid running into this threat is to compare the desired repository to a previous, known good version of the software or source code.”