Researchers Warn of Sophisticated Malware Hidden in Open-Source Projects
Cybersecurity experts have discovered a new hacker group called Water Curse that uses fake GitHub repositories to spread multi-stage malicious software. Disguised as security or developer tools, the malicious software steals sensitive data like passwords, browser info, and session tokens, and gives hackers remote access to infected systems. It uses Visual Basic Script and PowerShell to run hidden scripts, install malicious apps, and gather system data while avoiding detection and staying on the system long-term.
At least 76 GitHub accounts are linked to the group, and the campaign may have started in March 2023. Water Curse targets developers and the software supply chain by abusing trusted platforms like GitHub. Their repositories contain malicious software, game cheats, crypto wallet tools, bots, and data stealers. The stolen information is sent through platforms like Telegram and file-sharing websites.
Other recent attacks use similar tricks, including phishing emails with fake invoices and OneDrive links that download Sorillus RAT, a virus that can steal data, track activity, and uninstall itself. These campaigns also use temporary internet links created through services like Cloudflare to hide from security systems and appear like safe, normal traffic.
To stay safe from threats like these:
- Download tools only from trusted, verified sources
- Avoid clicking on suspicious email links or attachments
- Use strong antivirus and anti-malware protection
- Keep software and systems updated
- Enable two-factor authentication (2FA)
- Avoid using cracked software or game cheats
- Review the code and dependencies of developer tools
Being cautious and informed is key to protecting your devices and data.
Source: https://thehackernews.com/2025/06/water-curse-hijacks-76-github-accounts.html