Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories

ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru.

ReversingLabs team, including Principal Malware Researcher Robert Simmons, found over 60 fake project folders, called repositories, on GitHub. These folders looked like real computer hacking tools written in Python, but they were actually trojanized, meaning they contained hidden malicious code.

In their earlier attacks, starting in April 2023, Banana Squad put out hundreds of bad software packages under various usernames, researchers noted in their blog post shared with Hackread.com. These programs were designed for Windows computers and aimed to “steal extensive amounts of sensitive data,” including information from computers, apps, web browsers, and even cryptocurrency wallets by redirecting money.

These bad packages were downloaded nearly 75,000 times before they were found and removed. More recently, in November 2024, a harmful project from Banana Squad, found at dieserbenniru, showed a new trick. They used a GitHub feature where long lines of code don’t wrap.

Additionally, attackers added many spaces to push their malicious code off the screen, making it invisible to someone just looking at the code. This makes it much harder to spot the hidden danger. Fake user accounts, often with only one project listed, are commonly used by Banana Squad to host these harmful repositories.

Beyond Banana Squad’s specific activities, the overall increase in OSS risk points to ongoing problems. A new report for 2025 from ReversingLabs shows a changing picture in the safety of open-source software (OSS).

While overall malware found in OSS repositories significantly dropped in 2024 – a 70% decrease across platforms like npm, PyPI, and RubyGems compared to 2023 – the risk to software development from OSS is actually growing.

These threat actors are getting smarter. They are using more hidden and complex ways to attack, especially on platforms like GitHub, instead of just uploading simple malware. This positive trend in malware reduction is partly thanks to better security measures, including mandatory two-factor authentication (2FA) and the OpenSSF’s Malicious Packages Repository, launched in 2023.

Other reports indicate issues like a rise in secret leaks in 2024, where sensitive login details are exposed. Also, a look at top OSS packages revealed many security holes and code rot – a reliance on old, unmaintained code. This means popularity does not equate to security. The evolving threat means everyone using open-source software needs to be more watchful and use better tools to stay safe from groups like Banana Squad and other emerging threats.