The FakeGit Plague: How 600 Malicious GitHub Archives are Weaponizing Smart Contracts to Steal Your Data

For over a year, the sprawling, malignant campaign christened “FakeGit” has ruthlessly weaponized GitHub, utilizing it as a deceptive storefront for infected archives masquerading as cracked browser extensions, illicit gaming modifications, developer utilities, and adult content. According to intelligence chronicled by an analyst operating under the moniker “Kirk,” since March 2025, the malefactors have disseminated no fewer than 600 unique ZIP archives across an array exceeding 47 distinct accounts. As of early March, a minimum of 25 of these profiles remained actively menacing.

These archives masterfully assumed the guise of essential add-ons for ubiquitous platforms such as Jira, Asana, Todoist, Trello, Notion, Figma, Slack, and Zoom, alongside counterfeit utilities targeting gaming communities within Roblox, Fortnite, Counter-Strike 2, and Valorant. Concealed within lay a labyrinthine infection chain anchored upon the LuaJIT architecture. The repositories were meticulously curated with procedurally generated descriptions, whilst every hyperlink embedded within the README documentation invariably ushered victims toward a singular, venomous file. Unwitting patrons were aggressively coerced into activating the developer mode within Google Chrome and subsequently ingesting the extracted directory as a native extension.

The ultimate payload manifested as the insidious StealC infostealer, engineered to ruthlessly plunder telemetry from Chrome, Brave, Edge, and Firefox, whilst concurrently exfiltrating sensitive intelligence from Outlook, FoxMail, WinSCP, and Steam. This parasitic entity systematically harvested login credentials, cookie artifacts, browsing histories, and authentication tokens; furthermore, it possessed the capacity to capture visual screenshots and autonomously summon auxiliary modules via PowerShell and msiexec.

The architects engineered this stratagem with profound cunning, ensuring that previously disseminated artifacts required no modification whenever their command-and-control (C2) nexuses were relocated. The initial loader interrogated a smart contract entrenched within the Polygon network to ascertain the contemporary C2 coordinate; subsequently, it retrieved encrypted blocks from specific GitHub repositories serving as clandestine “dead drops.” The infrastructural coordinates were fluidly manipulated directly via cryptographic transactions inscribed upon the blockchain. According to the author’s calculus, the inaugural iteration of this contract traversed 50 distinct C2 designations, and distressingly, both iterations of these contracts remain operational.

Forensic scrutiny further unveiled glaring hallmarks of third-party GitHub account subjugation. Among the profiles where malignant repositories inexplicably materialized alongside legitimate endeavors are those bearing the monikers MaybeDesxie7, ShifaIshfaque, Mahmudul-Riad, sherinshamr, and SYS123232. Strikingly, the selfsame executable artifacts and Lua modules were discovered sequestered within archives serving entirely disparate lures—a definitive indicator pointing toward a singular orchestrating entity.

By March of the current year, the malefactor had honed this camouflage to such an exquisite zenith that a fraction of the contemporary Lua components completely evaded detection by the antiviral sentinels stationed upon VirusTotal. Over the lifespan of this campaign, the tracking vanguard has cataloged an astonishing sixteen distinct generations of cryptographic obfuscation. BitDefender presently classifies these venomous archives under the taxonomy Gen:Heur.FakeGit.1, whilst ESET delegates the underlying Lua components to the Lua/Agent family.