Over 100 GitHub Repositories Distributing BoryptGrab Stealer

The BoryttGrab campaign highlights a growing trend where threat actors exploit open‑source ecosystems to distribute malicious payloads. By masquerading as legitimate free‑software tools, the attackers leveraged GitHub’s reputation to bypass casual scrutiny, delivering ZIP archives that contain varied executables. This approach not only widens the infection surface but also complicates detection, as each repository may host a slightly different variant, evading signature‑based defenses. Security researchers emphasize that the sheer number of compromised repositories signals a coordinated supply‑chain operation, demanding heightened vigilance from platform operators.

Technically, BoryttGrab is a C/C++ stealer equipped with anti‑analysis checks, VM detection, and privilege‑escalation attempts. It extracts credentials from nearly a dozen browsers, employs Chrome App Bound Encryption, and even pulls a Chromium helper to deepen browser data collection. The malware’s modular design allows it to target desktop cryptocurrency wallets, Telegram files, and newer Discord tokens, while also capturing screenshots and files with specific extensions. Execution pathways are diverse—DLL sideloading, VBS‑driven launchers, .NET binaries, and a Golang downloader named HeaconLoad—making mitigation across endpoints more complex.

The inclusion of the TunnesshClient back‑door adds a persistent command‑and‑control layer via reverse SSH tunnels, enabling attackers to run arbitrary commands, establish SOCKS5 proxies, and transfer files. For enterprises, this underscores the necessity of robust software‑bill of materials (SBOM) practices, continuous monitoring of public code repositories, and strict validation of third‑party binaries. Deploying behavior‑based endpoint detection, network traffic analysis for anomalous SSH tunnels, and educating developers about supply‑chain hygiene are critical steps to curb the impact of such sophisticated campaigns. As attackers refine their tactics, proactive defense and rapid response become essential to protect organizational assets.