Analysis Summary

A sophisticated software supply chain attack orchestrated by a threat actor known as Banana Squad has compromised over 60 GitHub repositories, targeting developers with trojanized Python files designed to steal sensitive data from Windows systems. This campaign marks a shift in attacker methodology, moving beyond the traditional seeding of malicious packages to the impersonation of legitimate repositories. The attackers created fake GitHub accounts hosting projects with names identical to trusted open-source tools, luring developers into unknowingly downloading malicious payloads.

Researchers identified 67 such repositories, which collectively contained hundreds of Python files masquerading as legitimate hacking utilities. These files were engineered to exfiltrate system information, browser credentials, application data, and cryptocurrency wallets to command-and-control (C2) domains such as dieserbenni[.]ru and the newly identified 1312services[.]ru. Many of these fake repositories managed to attract high download numbers before being discovered, indicating the campaign’s potentially widespread impact on the developer ecosystem.

Banana Squad employed advanced obfuscation and deception techniques, exploiting GitHub’s interface by inserting hundreds of spaces to push the malicious code beyond the visible screen area. This method made the payloads virtually invisible to the human eye, even for vigilant developers inspecting code. The trojanized scripts also featured multiple encryption layers, including Base64, hex encoding, and Fernet encryption using Python’s cryptography library. These layers ensured the malware’s stealth and resistance to quick reverse-engineering.

The final payload URLs were cleverly crafted to include the repository name as a query parameter, helping attackers track infections per project. Security researchers have used tools like CyberChef to extract these URLs and understand the infrastructure behind the attack. This campaign represents a critical warning about the growing risk of open-source software manipulation, where even trusted platforms like GitHub can become vehicles for malware delivery. The findings call for stronger repository vetting, developer vigilance, and automated analysis tools to detect such hidden threats.

Impact

• Sensitive Information Theft
• Gain Access
• Crypto Theft
• Financial Loss

Indicators of Compromise

Domain Name

• dieserbenni.ru
• 1312services.ru
• bananasquad.ru

MD5

• fef77f414d49a08b6b1a7de10b14acab

• 94c7ff0056da8e0b7ed34b5f15e6a7ab

• a332ddcb9379b24d6d4fd390404dedb4

• 18ae20aaf2d3cd8bf85c6bc5816ab69a

• d225664286fff96b6f069e5e58ada57f

SHA-256

• eb6c431ecf7e04d8c166b93e0dae1426001def08859ab0cf544eba072ed8a579
• 0051e9ef07a06771cedc1599d0d1e6b904ea93984a9fd3ea9e8996abfe36e9cb
• 4175e56cb4a7e2c4da780cb85667f9444428f72bc4700e988486ab3c505c08a7
• 537893b214cb4b377cb0f8e936560baec6d96eaa2552b60bf6df9b4dd1cf6d45
• d45fbf98509c60b65d339796f9cb9bdcbb7858346bdd38b6313095b6bfe5a474

SHA1

• c5fb156b9e2775a2f6d667e005f8e2a833a06b44
• 87ea7c28b754abc84a329f7c4bf805ea69a5f774
• f4ae89c5e4b5f99372b42c168cdeac233be2a423
• 450505aed4513bef3fda32c5ebd027a6b6c32e9c
• 338401af36a4683de351e0802c554160bf54e8df

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Delete or quarantine any cloned or downloaded repositories from unverified or newly created GitHub accounts.
• Review all Python files for suspicious obfuscation tactics, especially long whitespace lines or encoded strings.
• Implement allowlisting for repositories and contributors within your development environment.
• Use automated code scanning tools to detect encrypted or obfuscated payloads in scripts.
• Monitor network activity for outbound connections to known C2 domains like dieserbenni[.]ru and 1312services[.]ru.
• Block the identified malicious domains at the firewall or DNS level.
• Regularly audit dependency and tool usage across projects to detect unauthorized changes.
• Educate developers to verify the authenticity of GitHub repositories before cloning or executing code.
• Integrate static and dynamic analysis tools into the CI/CD pipeline to flag suspicious behavior.
• Use tools like CyberChef to extract and inspect encoded payloads from suspicious files.