Threat actor Banana Squad exploits GitHub repos in new campaign
Essential information
- Published
- 20/06/2025 19:26
- Modified
- 23/06/2025 23:46
- Tags
- 2025-06-19 2025-06-20 backdoor code obfuscation github open-source open-source security python software supply chain stealth techniques supply chain attack trojanized repositories
- Related entities
- 200 observables, 1 intrusion sets (apt)
Description
ReversingLabs researchers have uncovered a new campaign by the threat actor Banana Squad, involving over 60 GitHub repositories containing hundreds of trojanized Python files. The attackers create fake user accounts to host malicious repositories that mimic legitimate ones, using a technique that hides malicious code off-screen with long spaces. The campaign primarily uses the domain dieserbenni[.]ru, with a new domain 1312services[.]ru detected recently. The trojanized files employ various encoding and encryption methods to conceal malicious payloads. This campaign demonstrates an increasing trend in sophisticated open-source software supply chain attacks targeting platforms like GitHub.