from Hacker News

Github scam investigation: Thousands of “mods” and “cracks” stealing data

by timsh on 2/28/25, 8:27 AM with 160 comments

  • by klaas- on 2/28/25, 10:46 AM

    I think Microsoft has a general problem with getting rid of unwanted things within their eco-system. I keep complaining that their feedback.azure.com portal is filled with spam/malware comments and links, but even internally their teams can't reach anyone to get it fixed. Example https://feedback.azure.com/d365community/idea/9d0b22d8-c025-...

  • by Aurornis on 2/28/25, 1:57 PM

    These repos post to Discord webhooks to notify of newly compromised systems.

    I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.

    In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.

  • by vegadw on 2/28/25, 2:27 PM

    I think to an extent Microsoft is the guilty party here. For may cracks Windows Defender will trip saying "Win32/Keygen" even if there's no actual malware https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...

    This trains people that do a lot of piracy to be used to turning off their antivirus to let something through, which is fine until it's not. It's like drugs, if we know a subset of the population will do them no matter what, we should make it safe for them to the extent we can. False positives, causing people to ignore actual positives, creates a market for these things.

  • by dcow on 2/28/25, 9:29 AM

    Why should malware repos be deleted?

    Serious question. The repos aren't themselves doing harm, are valuable for research, and would be distributed some other way if GH removed them. Maybe a banner “be careful! others have reported that this repo may not do what it claims. proceed with caution” would be a more appropriate response?

  • by KomoD on 2/28/25, 11:26 AM

    Fun fact: if you come across one of these discord webhooks you can delete them.

    Just curl -X DELETE https://discord.com/api/webhooks/[...]

  • by aerzen on 2/28/25, 12:00 PM

    I think the core of problem here is that applications are not isolated on the OS level.

    If I download and install a mod for minecraft, it should never have access to anything on my computer, except for the minecraft game files itself. If I open a spreadsheet in Excel, the excel process should have access only to that file and it's own config files.

    Something similar to how android works, were the app has to explicitly ask the user to access their files.

  • by MaxGripe on 2/28/25, 11:38 AM

    In my opinion, Microsoft’s entire support is at a tragically poor and hopeless level. GitHub is flooded with open issues that remain open for years without any response from Microsoft. The same applies to Azure. The technical support there is also truly terrible, and it’s easy to find horror stories online about people losing access to their accounts and being unable to restore them.

  • by avodonosov on 2/28/25, 1:47 PM

    Some time ago i was asked to help installing a mode for Plants vs. Zombies - a PVZ Fusion mode.

    When searching for it I found multiple, some had download from github repos. None was looking trustworthy enough, so I didnt download any. But I hesitated a little.

    From how they looked, I think now that was the kind of malware the author describes.

  • by t_believ-er873 on 2/28/25, 12:04 PM

    If you've identified GitHub repositories hosting malware, you can report them directly to GitHub via their Abuse Report page, providing links and any relevant details. GitHub typically removes repositories that violate their Acceptable Use Policy, but response times may vary. If the malware is actively being used for harm, you may also consider reporting it to security organizations or CERT teams.

  • by Fokamul on 2/28/25, 9:30 AM

    Ooh, these types of malwares are very old.

    Most fun you can have is to generate real-like looking data (there are tools for that) and mass send them to these discord webhooks.

    ;-)

  • by Jimmc414 on 2/28/25, 2:54 PM

    What's concerning is that this repository appears to be the template that much of this malware was built from: https://github.com/Jalynn0922/steal-cook. This repo mentioned in the article has existed on GitHub for 3 years without being taken down.

    Also, I am seeing firsthand that AI is not good at detecting this stuff. Claude's main problem in a code review of one of its descendants was the unethical use of an aim-bot.

    edit: to clarify, my concern is about how this can exist on Github for 3 years. Thank you for compiling this and sharing your review. Great work.

  • by nottorp on 2/28/25, 11:12 AM

    "Or why you should never download game mods"...

    Like everything else, you shouldn't blindly search on github - or any other download site.

    Only download from links referred from the official site if there's any, or the game's forum, or any other trustable and human reviewed source.

  • by extraduder_ire on 2/28/25, 2:42 PM

    > Less then 10% of them have open issues with complaints - others look just fine.

    I don't know why anyone running one of these schemes to distribute malware would even enable the issues tab on github, let alone not delete every issue posted containing keywords like malware, trojan, virus, etc. with a script.

    Are hidden until approved issues not supported on github? Is this caused by some limitation of creating these repos programmatically?

  • by Thorrez on 2/28/25, 2:16 PM

    >Yes, Redox creates and starts sqlite to gather all the data in a good-looking way.

    Is that saying it creates a sqlite database? I kind of doubt it. I think more likely is it uses sqlite to read from existing sqlite databases that exist on disk, to steal data from them.

  • by tomaytotomato on 2/28/25, 1:34 PM

    I must admit, sometimes reading gists and other repos on fixing hardware issues I think, "am I downloading malware?".

    Better to have an attitude that Github is malware and a healthy skepticism of any repo?

  • by avodonosov on 2/28/25, 1:33 PM

    Just deleting them is not so useful. It would be better to uncover the people behind them and who use the collected data.

    Some honeypot scheme or social engeneering against them.

    Ideas?

  • by neutralx on 2/28/25, 12:05 PM

    First image in the article reminds me of draw.io diagrams. Is this a drawio theme/library or some other tool was used to create it?

  • by numba888 on 3/1/25, 6:52 AM

    The problem is this can be anything, not just mods and cracks. That's why I keep separate laptop for banking. This may not help if hackers take over the router. But still better than nothing.

  • by andypiper on 2/28/25, 2:42 PM

    I've been reporting these repos forever, they just keep on coming.

  • by miunau on 2/28/25, 2:43 PM

    npm is full of this shit too, eg. https://www.npmjs.com/package/openssl-node which I reported weeks ago but is still sitting there.

  • by Yeul on 2/28/25, 5:12 PM

    I always thought it was amusing that if you ask about pirating Windows or Office you get a link to GitHub.

    Microsoft is alright in my book. Let GitHub be free.

  • by nisten on 2/28/25, 2:07 PM

    No?

    Maybe could stop people from being able to git pull them without a confirmation, but deleting does not make sense

  • by jbverschoor on 2/28/25, 1:20 PM

    Just don't allow direct downloads or clones. It will solve a lot, although not many.

  • by nomilk on 2/28/25, 12:41 PM

    We could make an open source database. Then very simple browser extension to place a very prominent warning on any GitHub repo page that happens to be suspected malware.

    I guess the problem is that only helps those who already know they need to watch out for this sort of thing, not the users most likely to be pwned.

  • by nisten on 2/28/25, 2:06 PM

    No

  • by teddyh on 2/28/25, 12:17 PM

    If there is no malware allowed on GitHub, I guess malware researchers have to use somewhere else to host their code. Which would be a preferable outcome, honestly.

  • by linwangg on 2/28/25, 1:40 PM

    This raises a big question: How effective is GitHub’s abuse reporting system against large-scale malware campaigns? If 1,000+ malicious repos can persist for months, does this mean GitHub lacks automated scanning or relies too much on user reports?

  • by neuroelectron on 2/28/25, 11:51 AM

    Is it really a problem to host malware on github?