GitHub Comments Used to Spread Lumma Stealer Malware

In a recent campaign, GitHub comments are being used to distribute Lumma Stealer, a password-stealing malware. The campaign was first reported by a contributor to the teloxide Rust library, who shared on Reddit that multiple GitHub comments, disguised as fixes, were actually pushing malware. BleepingComputer’s research revealed that thousands of similar comments were appearing across various projects.

The comments direct users to download password-protected archives containing malware-laden executables. These archives, often downloaded from MediaFire or bit.ly links, use the password "changeme" for extraction. Upon running the included file, identified as 'x86_64-w64-ranlib.exe', the Lumma Stealer malware is executed.

Lumma Stealer is designed to extract sensitive information such as cookies, credentials, credit card details, and browsing history from major web browsers like Chrome and Edge. The malware also targets cryptocurrency wallets and files containing private keys, passwords, and other valuable data.

Nicholas Sherlock, a reverse engineer, stated that over 29,000 malicious comments had been posted over three days. While GitHub staff is actively removing these comments, several users have already reported falling victim to the attack.

Those who have unknowingly executed the malware are advised to change passwords on all accounts. When establishing new passwords, users are encouraged to abide by the golden rules to ensure password strength. Furthermore, it is crucial to move cryptocurrency to new wallets immediately. Some of the safest and most widely used cryptocurrency wallets can be found in this article.

A similar campaign by the Stargazer Goblin threat actors, disclosed by Check Point Research last month, used fake GitHub accounts to create a malware Distribution-as-a-Service (DaaS). It remains unclear whether these two campaigns are linked or if they involve different threat actors.