The repository names were found to be identical to one or more other non-trojanized repositories, indicating some form of typo-squatting at play. Additionally, the “About” section of these repositories was packed with search keywords related to the original repository’s theme and often included an emoji, usually a flame or a rocket ship, hinting at the use of AI.
ReversingLabs shared a list of campaign indicators, including domains, URLs, and filenames, along with all 67 flagged repositories for developers to watch out for.
“For developers relying on these open-source platforms (GitHub), it’s essential to always double-check that the repository you’re using actually contains what you expect,” Simmons cautioned. “However, the best way to avoid running into this threat is to compare the desired repository to a previous, known good version of the software or source code.”
