This post is also available in:
עברית (Hebrew)
A new malware campaign is using GitHub to quietly distribute an infostealer tool under the pretense of free utility software, raising renewed concerns over the security of open-code platforms. The malicious activity centers around a fake program titled “Free VPN for PC,” which, when executed, delivers the Lumma infostealer instead of providing any actual VPN functionality.
Researchers from cybersecurity firm Cyfirma who tracked the campaign have noted that GitHub’s open hosting environment—commonly used for legitimate code sharing—was used to deliver the payload. The malware was embedded in repositories designed to appear trustworthy, exploiting the platform’s reputation to gain user trust. A similar version was also uploaded under a different name referencing Minecraft content, pointing to an attempt to attract multiple user demographics.
The primary threat, Lumma, is a well-established infostealer active since 2022. It’s capable of extracting a wide range of data, including saved passwords, browser session information, cryptocurrency wallet keys, and system metadata. It is typically distributed as part of a malware-as-a-service (MaaS) model, allowing buyers to subscribe and use it for their own purposes, with pricing starting around $140 per month.
GitHub isn’t the only vector being exploited. Lumma has also been delivered through fake download sites, scripts hidden behind bogus CAPTCHA checks and more. These methods are all designed to lure users into running malware disguised as harmless software.
The malicious code is designed to operate discreetly once deployed. It has been linked to a network of command-and-control infrastructure, much of which was recently disrupted in a coordinated takedown led by the U.S. Department of Justice and Microsoft. However, active distribution continues across multiple platforms.
To protect against similar threats, users are urged to avoid downloading software from unverified sources, especially from GitHub pages with limited activity or unclear origin. Using up-to-date antivirus tools, enabling two-factor authentication, and never running unfamiliar commands in system consoles remain critical steps in mitigating exposure.
This campaign reflects a broader challenge: even trusted developer platforms can become conduits for malware when abused by threat actors.
