AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
A sophisticated campaign used AI-generated content to create convincing fake GitHub repositories that distributed SmartLoader, which then delivered Lumma Stealer and other malicious payloads. The repositories featured AI-written README files, realistic code structures, and fabricated star counts to appear legitimate. This research documents how threat actors leverage generative AI to scale social engineering attacks on developer communities, including the full infection chain from repository discovery to credential theft.
Related Research
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
Investigated a supply chain attack in which an attacker hijacked the lead Axios npm maintainer's account and published two malicious versions containing a phantom dependency that deployed a cross-platform RAT on macOS, Windows, and Linux while erasing forensic evidence by replacing itself with clean decoy files.
PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
Analyzed a rotating AI-themed lure campaign active since February 2026 that pivoted within 24 hours of Anthropic's Claude Code npm packaging error to distribute Vidar stealer and GhostSocks proxy malware through fake "leaked Claude Code" GitHub repositories, impersonating more than 25 software brands via a single Rust-compiled dropper.
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Identified an active campaign spreading self-propagating malware via WhatsApp ZIP attachments, targeting Brazilian users with persistence and account hijacking.