Episode 135

Weaponized GitHub Repositories: How Banana Squad and Water Curse Are Hitting Devs

June 20, 202545m 59s

Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Cybercriminals are increasingly turning GitHub into a malware distribution network. In this episode, we unpack two of the most alarming recent campaigns: Water Curse and Banana Squad — both targeting developers, red teams, and security professionals through poisoned open-source projects.

Water Curse, a financially motivated group, used at least 76 GitHub accounts to deliver multistage malware hidden inside project configuration files of tools like Sakura-RAT. These payloads deploy obfuscated VBS and PowerShell scripts, perform system reconnaissance, and disable recovery mechanisms like shadow copies. The malware, tracked as Backdoor.JS.DULLRAT.EF25, allows long-term remote access and data exfiltration via services like Telegram.

Banana Squad, meanwhile, deployed over 60 fake repositories containing trojanized Python scripts masked as ethical hacking tools. Using visual obfuscation tricks, they pushed malicious code off-screen in the GitHub UI to avoid detection — a tactic that worked until automated tools caught the behavior.

Both groups are part of a broader trend: cybercriminals leveraging Malware-as-a-Service (MaaS) platforms to outsource infrastructure, scale their operations, and target critical parts of the software supply chain. Developers, security teams, and even gamers are now at risk — not through phishing emails, but by trusting what they download from legitimate platforms.

We also explore how MaaS lowers the technical barrier for attackers and discuss the critical need for secure software development, SBOM transparency, and active code validation.

This isn’t a theoretical threat. It’s a shift in the way malware is built, delivered, and scaled — and it’s already compromising environments in plain sight.

#GitHubMalware #WaterCurse #BananaSquad #SoftwareSupplyChain #MaaS #OpenSourceSecurity #PythonMalware #BackdoorJS #Cybersecurity #DeveloperSecurity #Infosec #VisualStudioMalware #TrojanizedCode #GitHubSecurity #CodeTrustCrisis

Topics

GitHub malwareWater Curse campaignBanana Squadmalware-as-a-serviceMaaSsoftware supply chain attackopen-source malwaretrojanized Python scriptsdeveloper cybersecurityBackdoor.JS.DULLRATGitHub repository attackpoisoned reposcyber threat to developersVBS malwarePowerShell payloadVisual Studio malwareGitHub attack 2025code obfuscationTelegram exfiltrationSakura-RATinfosec podcastdeveloper threat intelsupply chain compromisefake ethical hacking toolsmultistage malwareGitHub cyber attack

← All episodes of Daily Security Review