Malware Name: Lumma Stealer is being spread via fake “fixes” posted in comments on GitHub projects.
Method of Distribution: Cybercriminals are adding malicious comments in GitHub repositories, offering solutions that lead to downloading malware-packed files.
Initial Report: The campaign was first flagged by a contributor to the Teloxide Rust library, who encountered multiple fake comments.
Scale of the Attack: Over 29,000 malicious comments have been identified across various GitHub projects in just three days.
How the Malware Works:Users are tricked into downloading a password-protected archive, “fix.zip,” from MediaFire or through Bit.ly links.After extraction with the password “changeme,” a malicious executable installs the Lumma Stealer malware.The malware steals passwords, login credentials, cookies, cryptocurrency wallet data, and browsing histories from popular browsers.
Targeted Data: Lumma Stealer focuses on extracting sensitive files like seed.txt, pass.txt, wallet.txt, and others related to cryptocurrency and personal information.
Risk to Users: Stolen data is packaged and sent to attackers, which can lead to further cyberattacks or sale on the dark web.
Advice for Affected Users: Change all passwords immediately, ensure they are unique, and transfer cryptocurrency assets to secure wallets.
GitHub Response: GitHub is actively removing malicious comments, but the scale of the attack suggests many users have already been affected.
Be vigilant when downloading files from GitHub, and always verify the authenticity of “fixes” or updates!
