{
	"id": "7ad63bca-b563-47f2-ad32-e0165684208f",
	"created_at": "2026-04-06T00:08:42.271973Z",
	"updated_at": "2026-04-10T13:12:53.43901Z",
	"deleted_at": null,
	"sha1_hash": "fb60165a1aa6dc057042aac558523745cac87329",
	"title": "New Technique Detected in an Open-Source Supply Chain Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1810284,
	"plain_text": "New Technique Detected in an Open-Source Supply Chain Attack\r\nArchived: 2026-04-05 22:38:19 UTC\r\nIn a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality,\r\nand using meticulously crafted repositories to distribute malware.\r\nKey Points\r\nGitHub search manipulation: Attackers create malicious repositories with popular names and topics, using\r\ntechniques like automated updates and fake stars to boost search rankings and deceive users.\r\nMalicious code is often hidden within Visual Studio project files (.csproj or .vcxproj) to evade detection,\r\nautomatically executing when the project is built.\r\nThe attacker had set up the stage to modify the payload based on the victim’s origin, checking specifically if\r\nthe victim is based in Russia. At this point, we don’t see this ability activated.\r\nThe recent malware campaign involves a large, padded executable file that shares similarities with the\r\n“Keyzetsu clipper” malware, targeting cryptocurrency wallets.\r\nThe malware establishes persistence on infected Windows machines by creating a scheduled task that runs the\r\nmalicious executable daily at 4AM without user confirmation.\r\nDevelopers should be cautious when using code from public repositories and watch for suspicious repository\r\nproperties, such as high commit frequencies and stargazers with recently created accounts.\r\nExploiting GitHub’s Search Functionality\r\nOur recent findings reveal a threat actor creating GitHub repositories with names and topics that are likely to be\r\nsearched by unsuspecting users. These repositories are cleverly disguised as legitimate projects, often related to\r\npopular games, cheats, or tools, making it difficult for users to distinguish them from benign code.\r\nTo ensure maximum visibility, the attackers employ a couple of clever techniques that consistently place their\r\nmalicious repositories at the top of GitHub search results.\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 1 of 8\n\nAutomatic Updates\r\nBy leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by\r\nmodifying a file, usually called “log”, with the current date and time or just some random small change. This\r\ncontinuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their\r\nresults by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.\r\nFaking Popularity\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 2 of 8\n\nWhile automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo\r\nmaking it to the top results.\r\nThe attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and\r\ntrustworthiness. This artificially boosts the repositories’ visibility further, especially for instances where users filter\r\ntheir results by “most stars.”\r\nIn contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it\r\nappears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion\r\nwith an exaggerated number.\r\nMany of the stargazers are created on the same date. A red flag for fake accounts.\r\nThis social engineering technique is designed to manipulate users into believing that the repository is widely used\r\nand reliable, preying on the inherent trust users place in highly-starred repositories.\r\nUnsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are\r\nmore likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden\r\ndangers lurking within.\r\nFor a deeper dive into the tactic of fake stars, check out our recent blog that explores this manipulation technique in\r\ngreater detail.\r\nHidden Malware in Project Files\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 3 of 8\n\nThe attackers conceal their malware primarily as obfuscated code deep within the .csproj or .vcxproj files of the\r\nrepository (files commonly used in Visual Studio projects) to decrease the chances of the average user detecting it\r\nunless they proactively search for suspicious elements.\r\nHowever, it’s worth noting that there have been a small number of other detected repos that contained different\r\nmalware within other files.\r\nTechnical Analysis of the Common Malicious Payload\r\nThe malicious script is embedded within a pre-build event of a Visual Studio project file (.vcxproj) and is designed to\r\nbe executed automatically during the build process. The script consists of two main parts:\r\n1. A batch script that sets up the environment and executes a VBScript file.\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 4 of 8\n\n2. A base64-encoded PowerShell script that is decoded and executed by the VBScript file.\r\nThe batch script creates a temporary directory, generates a VBScript file, and decodes the base64-encoded\r\nPowerShell script. It then executes the decoded PowerShell script and cleans up the temporary files.\r\nThe decoded PowerShell script performs the following malicious actions:\r\n1. Retrieves the country code of the machine’s IP address, determining whether the machine is based in Russia.\r\n2. Downloads content from specific URLs based on the country code (content is continuously updated by the\r\nattacker)\r\n3. Downloads encrypted files from each URL, extracts them with a predefined password, and executes the\r\nextracted files.\r\nThe script also employs error handling to silently catch exceptions and continue execution.\r\nActive Campaign\r\nOn April 3rd, the attacker updated the malicious code within one of their repositories, pointing to a new URL that\r\ndownloads a different encrypted .7z file containing an executable named feedbackAPI.exe.\r\nThe attacker had padded the executable with many zeros, a technique used to artificially boost the file size. Due to\r\nthis padding, the file size exceeded the threshold of many security solutions, VirusTotal being a notable one,\r\npreventing the possibility of it from being scanned. According to VirusTotal’s documentation,\r\n“If the file to be uploaded is bigger than 32MB, please use the /private/files/upload_url endpoint instead which\r\nadmits files up to 650MB.”\r\nThe padded feedbackAPI.exe file was 750MB in size, exceeding even the increased limit for the alternative endpoint.\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 5 of 8\n\nThe results of our analysis of this malware suggest that the malware contains similarities to the “Keyzetsu clipper”\r\nmalware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated\r\nsoftware.\r\nThis executable file also attempts to create persistence on Windows machines. It achieves this by creating a shortcut\r\nto the exe file and then establishing a daily scheduled task named “Feedback_API_VS_Services_Client” that\r\nexecutes the shortcut at 4AM. Notably, this task is created without any confirmation prompts, making it stealthier\r\nand more likely to go unnoticed by unsuspecting users.\r\nIndicators of Successful Exploitation\r\nEvidence indicates that the attackers’ campaign has successfully deceived unsuspecting users. Numerous malicious\r\nrepositories have received complaints through Issues and pull requests from users who experienced problems after\r\ndownloading and using the code.\r\nConclusion\r\nThe use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to\r\nthe open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties,\r\nattackers can lure unsuspecting users into downloading and executing malicious code.\r\nTo prevent falling victim to similar attacks, it is recommended to keep an eye on the following suspicious properties\r\nof a repo:\r\n1. Commit frequency: Does the repo have an extraordinary number of commits relative to its age? Are these\r\ncommits changing the same file with very minor changes?\r\n2. Stargazers: Who is starring this repo? Do most of the stargazers appear to have had accounts created around\r\nthe same time?\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 6 of 8\n\nBy being aware of these red flags, users can better protect themselves from inadvertently downloading and executing\r\nmalware.\r\nIn the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely\r\nsolely on reputation as a metric when using open-source code. A developer who blindly takes code also blindly takes\r\nresponsibility for that code. These incidents highlight the necessity for manual code reviews or the use of specialized\r\ntools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient.\r\nAs part of Checkmarx’s commitment to supply chain security, our research team continuously monitors and detects\r\nsuspicious activities in the open-source software ecosystem. We track and flag potential indicators of malicious\r\nbehavior and promptly alert our customers and the community to help protect them from these evolving threats.\r\nWorking together to keep the open-source ecosystem safe.\r\nIOC\r\nhxxps[:]//cdn.discordapp[.]com/attachments/1192526919577649306/1211404800575537304/VisualStudioEN.7z?\r\nex=6612fda3\u0026is=660088a3\u0026hm=5ae3b1b5d2c7dc91a9c07a65dbf8c61d3822b1f16a2d7c70eb37a039979e8290\u0026\r\nhxxps[:]//cdn.discordapp[.]com/attachments/1192526919577649306/1211403074799804476/VisualStudioRU.7z?\r\nex=6612fc07\u0026is=66008707\u0026hm=0a7fc9432f5ef58960b1f9a215c3feceb4e7704afd7179753faa93438d7e8f54\u0026\r\n08b799d56265e93f6aae4f089808d1cb\r\ncc9d54b78688ef6f41e4f4d0c8bced3e04bfcedc\r\nooocyber[.]keenetic[.]pro\r\n188[.]113[.]132[.]109\r\nhttps://rentry.co/MuckCompanyMMC/raw\r\nhxxps[:]//rentry[.]co/hwqfx/raw\r\nhxxps[:]//rentry[.]co/q3i7zp/raw\r\nhxxps[:]//rentry[.]co/tvfwh/raw\r\nhxxps[:]//cdn[.]discordapp.com/attachments/1193658583947149322/1218876343232630844/main.exe?\r\nex=6609420d\u0026is=65f6cd0d\u0026hm=f5a0af7499e892637935c3e4071f2dc59d48214f56a1c1d7aedc3392f58176db\u0026\r\nhxxps[:]//paste[.]fo/raw/dd6cd76eb5a0\r\nhxxps[:]//paste[.]fo/raw/efda79f59c55\r\nhxxps[:]//rentry[.]co/4543t/raw\r\nhxxps[:]//rentry[.]co/a2edp\r\nhxxps[:]//textbin[.]net/raw/gr2vzmwcvt\r\nTags:\r\nBreaking News\r\nCheckmarx Security Research Team\r\nEnglish\r\nLeadership\r\nOpen-Source Security\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 7 of 8\n\nsupply chain attack\r\nSupply Chain Security\r\nSource: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nhttps://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/"
	],
	"report_names": [
		"new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434122,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb60165a1aa6dc057042aac558523745cac87329.pdf",
		"text": "https://archive.orkl.eu/fb60165a1aa6dc057042aac558523745cac87329.txt",
		"img": "https://archive.orkl.eu/fb60165a1aa6dc057042aac558523745cac87329.jpg"
	}
}