Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Over 200 GitHub Repositories Exploit Malware Threat

Over 200 GitHub Repositories Exploit Malware Threat

Posted on July 10, 2026 By CWS

A large-scale cyber threat has emerged involving over 200 GitHub repositories designed to distribute Windows malware, according to insights from supply chain security firm, Socket. This operation, known as ‘Operation Muck and Load’, comprises 222 deceptive repositories managed by 190 separate accounts. These repositories feature a Go module that initiates the malware infection process.

Details of the Malware Distribution

The Go module, Socket reveals, deploys PowerShell scripts to retrieve a resolver from public dead drops, which then executes various types of Windows malware. These include spyware, trojan downloaders, infostealers, and cryptominers. The module masquerades as a DNS/subdomain scanning tool, leveraging the legitimate dnsub open-source project to deceive users.

Since January 24, 2026, the threat actor has published over 1,200 versions of this package, with 700 identified as malicious. This proliferation isn’t due to standard release practices, but rather the threat actor’s use of GitHub Actions workflows that generate timestamp commits, allowing these malicious versions to appear as Go pseudo-versions.

Mechanics of the Attack

The module executes a PowerShell command concealed by excessive whitespace before executing any scanning logic. This script circumvents script-execution policies by fetching and running a payload from public dead-drop locations. The payload acts as a resolver, downloader, extractor, and launcher, decrypting metadata, retrieving a password-protected archive, and executing its contents.

To enhance operational resilience, the threat actor avoids a single hardcoded URL, opting instead for multiple public platforms to host mirrored encrypted resolver content. These platforms include Pastebin, Rlim, Muck-themed infrastructure, and fallback sites like YouTube, Instagram, Telegram, Google Docs, and GitCode.

Payloads and Associated Risks

The final execution chain payloads encompass various remote access trojans (RATs) such as AsyncRAT, Quasar RAT, and a Remcos-style RAT, along with infostealers and spyware. Although most repositories serve as lures, some directly embed malware into source trees or through GitHub release assets.

Socket has identified at least 14 unique malware files within the threat actor’s workflow, featuring trojan loaders, Vidar infostealer, and XMRig/BitMiner-related Monero cryptominers. This operation shares characteristics with previous activities linked to the ‘ischhfd83’ email address, which included Muck-themed domains.

In conclusion, Operation Muck and Load represents a significant threat to cybersecurity, highlighting the growing sophistication of supply chain attacks. As these threats evolve, vigilance and robust cybersecurity measures remain critical in safeguarding digital infrastructure.

Security Week News Tags:Cryptominers, Cybersecurity, GitHub, Infostealers, Malware, PowerShell, Spyware, supply chain attack, Trojan, Windows

Post navigation

Previous Post: Ransomware Negotiator Sentenced for BlackCat Involvement
Next Post: Odyssey Stealer Targets macOS: Global Crypto Threat

Related Posts

Tiffany Data Breach Impacts Thousands of Customers Tiffany Data Breach Impacts Thousands of Customers Security Week News
Global Crackdown on Aisuru and Kimwolf Botnets Global Crackdown on Aisuru and Kimwolf Botnets Security Week News
FortiClient EMS Flaw Exploited to Spread Malware FortiClient EMS Flaw Exploited to Spread Malware Security Week News
Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Security Week News
US Links Handala Hackers to Iranian Government US Links Handala Hackers to Iranian Government Security Week News
Passkey Login Bypassed via WebAuthn Process Manipulation Passkey Login Bypassed via WebAuthn Process Manipulation Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark