Researchers uncovered a GitHub code ring made up of 89 accounts promoting 73 repos that contain over 300 apps with backdoors (via DFIR.it).
The malicious apps had code that let them stay on infected computers and survive restarts, as well as an ability to download more malicious code. The GitHub accounts promoted apps and software libraries for Windows, macOS, and Linux.
In one sample, one of the apps downloaded a Java-based “sneaker bot” named Supreme NYC Blaze Bot (supremebot.exe). A sneaker bot is malware that adds infected computers to a botnet where they all participate in online auctions for limited edition sneakers.
The GitHub code ring has been taken down, with the accounts being used to watch the repositories and help boost their popularity in GitHub’s search results.