Lumma Stealer malware linked as project fixes in GitHub comments

GitHub Webpage
(Image credit: Gil C / Shutterstock)

Cybercriminals have found yet another way to infect software developers with malware - through comments on GitHub projects.

Whenever a developer uploads a project to GitHub, other community members can leave comments below. That way, the wider community can discuss spotting fallacies and vulnerabilities, potential improvements, different suggestions, and more.

Someone found a way to leave comments on the platform en-masse, and is using the technique to try and trick the developers into downloading the Lumma Stealer.

Deleting the comments

As observed by BleepingComputer, there have been thousands of comments, all across the platform, saying pretty much the same thing: “to fix your trouble check this fix, I see it in another issue,” followed by a link from mediafire.com or bit.ly, to a password-protected archive. The archive contains Lumma Stealer, an infamous piece of malware capable of stealing all sorts of sensitive information, from credentials, to cryptocurrency wallet data, to browser information.

It is often distributed through phishing campaigns, malicious attachments, or infected software downloads. In fact, last week security researchers from Mandiant warned that Lumma was being distributed through fake pirated movies online.

Lumma is known for being stealthy, grabbing the files without being spotted by antivirus or antimalware tools. It is offered as a service, for a subscription fee ranging between $250 and $1,000.

Apparently, the crooks left almost 30,000 comments across the platform, and while GitHub’s admins responded by deleting as many comments as possible, some people already fell for the trick.

GitHub is one of the world’s most popular platforms for software developers who build projects using Git. Last year, the platform reportedly had more than 100 million users, a figure which seems to be growing by the day. As such, GitHub is an extremely popular target for cybercriminals, who are always looking for new ways to sneak malware onto the platform.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.