GitHub Ghost Network: A Hidden Threat on Code Hosting Sites
A secret network of approximately 3,000 “ghost” accounts on GitHub has been quietly manipulating pages on code hosting sites to spread malware and phishing links, according to new research from Wired magazine.
The Rise of Stargazer Goblin
Researchers at cybersecurity firm Check Point have identified a cybercriminal known as “Stargazer Goblin” who has been hosting malicious code repositories on Microsoft-owned platforms since at least June last year. This individual has been using fake accounts to manipulate GitHub pages and make them appear legitimate by garnering stars, forks, and monitoring activities.
Malicious Repositories and Distribution as a Service
Stargazer Goblin’s network, named Stargazers Ghost Network by Check Point, has been spreading malicious GitHub repositories offering downloads of social media, gaming, and cryptocurrency tools. These repositories often target Windows users seeking free software online. The operators behind the network charge other hackers for the use of their services, engaging in what Check Point refers to as “distribution as a service.” Various types of ransomware and information-stealing malware, including Atlantida Stealer and Rhadamanthys, have been found to be shared within this network.
Github’s Response and Future Challenges
GitHub, with over 100 million users and 420 million repositories, faces ongoing challenges from cybercriminals seeking to abuse its platform. While the Stargazers Ghost Network has been taken down in accordance with GitHub’s policies, the discovery of this network sheds light on the evolving tactics used by malicious actors on code hosting sites. Researchers continue to uncover hidden threats and vulnerabilities in the open-source community, emphasizing the importance of vigilance and cybersecurity measures in the digital landscape.