222 GitHub Repos Deliver Windows Malware via Poisoned Go Modules in Industrial Campaign
Operation Muck and Load demonstrates industrial malware distribution through 222 GitHub repositories, using automated versioning and public dead drops for resilience. The campaign connects to earlier supply-chain patterns and reveals gaps in dependency trust mechanisms. Future activity will likely migrate to new language ecosystems after current infrastructure is disrupted.
The campaign, tracked by Socket as Operation Muck and Load, embeds a hidden PowerShell one-liner inside a fork of the dnsub project. The module fetches resolver scripts from Pastebin, YouTube, Telegram, and GitCode mirrors that decrypt and launch payloads including AsyncRAT, Vidar, Remcos variants, and XMRig. At least 14 confirmed malware samples were recovered from release assets and embedded source trees.
Evidence of industrialization includes 1,200 package versions published via automated GitHub Actions timestamp commits, creating pseudo-versions that surface malicious releases. Overlap with the ischhfd83 email and Muck-themed domains links the operation to prior supply-chain lures, showing reuse of infrastructure rather than one-off attacks. This pattern mirrors documented North Korean and other state-linked developer targeting but at higher volume and lower per-repo sophistication.
The scale exposes a systemic failure in GitHub's dependency graph and Go module proxy validation. Attackers now treat public repositories as resilient, low-cost distribution networks that survive takedowns through mirrored dead drops, bypassing both package signing and user review.
GitHub and Socket takedowns will likely trigger rapid re-hosting on alternate platforms within 30 days, with the next wave shifting to Rust or npm ecosystems to maintain volume.
GitHub Security: Takedowns of Muck-themed or similar lure repositories will exceed 400 within 90 days of initial Socket disclosure.
Sources (2)
- [1]Primary Source(https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/)
- [2]Supporting Source(https://socket.dev/blog/operation-muck-and-load)