A sophisticated supply chain attack campaign has emerged targeting software developers through the exploitation of over 60 GitHub repositories containing trojanized Python files designed to steal sensitive Windows-based data.
The threat actor, known as Banana Squad, has demonstrated remarkable stealth and sophistication in deploying hundreds of malicious files disguised as legitimate hacking tools and utilities.
The campaign represents a significant evolution in open-source software supply chain attacks, moving beyond traditional malicious package uploads to more subtle repository impersonation tactics.
Banana Squad created fake GitHub accounts hosting repositories with identical names to legitimate projects, effectively masquerading malicious tools as benign alternatives.
These trojanized repositories accumulated substantial download counts before detection, indicating the campaign’s potential widespread impact on the developer community.
ReversingLabs researchers identified the extensive network of malicious repositories by working backwards from network threat intelligence indicators, ultimately discovering 67 compromised repositories containing hundreds of trojanized Python files.
.webp)
The threat actor’s Windows-based final payloads were specifically designed to extract extensive amounts of sensitive data, including system information, application data, browser credentials, and cryptocurrency wallets.
The campaign utilized multiple command and control domains, primarily dieserbenni[.]ru, with a newer domain 1312services[.]ru detected on June 6, 2025.
The attack demonstrates concerning trends in supply chain security, where threat actors are increasingly leveraging trusted platforms like GitHub to distribute malware while evading traditional detection mechanisms.
Each malicious repository was typically the sole project under fake user accounts, with carefully crafted descriptions containing relevant search terms and emojis to enhance discoverability.
Advanced Code Obfuscation and Visual Deception Techniques
The most innovative aspect of this campaign lies in Banana Squad’s sophisticated code hiding methodology that exploits GitHub’s user interface limitations.
The threat actors embedded malicious code within Python files using an extensive padding technique involving hundreds of spaces, effectively pushing the malicious content beyond the visible screen width on standard displays.
This visual deception ensures that even security-conscious developers reviewing the code would not immediately detect the malicious payload.
The trojanized files employ multiple layers of encryption and encoding, combining Base64, hexadecimal text, and Fernet encryption from Python’s cryptography package.
A typical malicious line appears as legitimate code followed by extensive whitespace, concluding with encrypted payload code that remains hidden from casual inspection.
The payload URLs follow a consistent structure: hxxps[://]dieserbenni[.]ru/paste?repo=[repository_name], where the repository name appears as a query parameter, allowing the attackers to track which specific repositories are generating infections.
.webp)
ReversingLabs has provided a comprehensive CyberChef recipe for security researchers to extract and analyze these next-stage payload URLs, enabling better understanding of the campaign’s infrastructure and helping organizations implement appropriate defensive measures.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
