Banana Squad Strikes Again: 60+ GitHub Repositories Trojanized in New Software Supply Chain Attack

A newly uncovered software supply chain campaign by the threat group Banana Squad has compromised more than 60 GitHub repositories, each housing hundreds of malicious Python files posing as legitimate hacking tools. This operation marks a disturbing evolution in how attackers exploit public developer ecosystems like GitHub to distribute malware at scale.

“While the number of malicious packages uploaded to open-source repositories like npm and PyPI has decreased, the stealth and sophistication of threat actors… on platforms like GitHub is increasing,” writes Robert Simmons, Principal Malware Researcher at ReversingLabs.

Originally exposed by Checkmarx in 2023, Banana Squad is a persistent threat actor known for mass-publishing malicious open-source packages. Their latest campaign uses trojanized GitHub repositories disguised as commonly searched Python hacking tools. The malware ultimately aims to steal extensive system, browser, and cryptocurrency data from infected Windows hosts.

One standout domain from the latest campaign is dieserbenni[.]ru, linked to several malicious repositories. ReversingLabs analysts discovered:

• 67 fake GitHub repositories
• Dynamically generated backdoor payloads
• Obfuscated Python scripts with Base64, Hex, and Fernet encryption
• Malicious infrastructure shared with older Banana Squad operations

“The repository name is identical to one or more other repositories that are not trojanized,” the report explains, detailing how lookalike repositories are used to deceive developers.

One clever technique used in this campaign is hiding the malicious payload off-screen using GitHub’s UI quirk: code that doesn’t wrap.

“Trojanized Python files abuse a UI feature on GitHub in which long lines of code do not wrap… pushing the malicious code content off the screen to the right side,” explains ReversingLabs.

Even with a 4K monitor, the hidden backdoor remains invisible unless developers switch to Hex view or use forensic tools like Spectra Analyze.

A single example: the file file-extension-spoofer.py in the repository degenerationred appears benign—until viewed in depth using RL tools, revealing an embedded payload.

To uncover the campaign, ReversingLabs worked backward from malicious URLs found in threat intelligence logs. These URLs included the repository names as query strings, making it easier to identify trojanized content.

RL used Spectra Assure to compare clean and infected versions of the same repository. Key indicators included:

• Single-repo GitHub accounts with names like degenerationred
• Flame and rocket emojis in repository descriptions
• Dynamically generated strings embedded in README files and code

“Detected presence of software components that have code outside of the common screen width,” reads a Spectra Assure report, highlighting the core technique of visual subterfuge.

Trojanized Python files used various obfuscation layers:

• Base64-encoded strings
• Hexadecimal encoding
• Fernet encryption using the Python cryptography library

These files ultimately contacted domains like dieserbenni[.]ru and 1312services[.]ru to retrieve final-stage payloads, which could include system reconnaissance tools, data stealers, and keyloggers.

“The Windows-based final payloads aimed to steal extensive amounts of sensitive data,” the report warns.

All 67 trojanized repositories have since been reported and taken down by GitHub. However, the true number of cloned or forked copies is unknown, suggesting many developers may have unknowingly pulled infected code into their projects.

“It is likely that there are several victims of this latest campaign,” notes ReversingLabs.

The Banana Squad campaign is yet another reminder that open-source trust can be weaponized. As the developer community continues to rely on platforms like GitHub for fast, accessible code, adversaries are evolving to blend in and exploit these dependencies.

“Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector,” ReversingLabs concludes.

Related Posts:

• KDE Sets Sights on New Horizons with “Project Banana” Linux Distro
• Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions
• Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
• GitHub Security Alerts has detected over 4 million vulnerabilities
• Malicious PyPI Package Targets Cryptocurrency Wallets: aiocpa Campaign Exposed