We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

GitHub Comments Used to Spread Lumma Stealer Malware

GitHub Comments Used to Spread Lumma Stealer Malware
Anka Markovic Borak Published on 7th September 2024 Writer and Quality Assessor

In a recent campaign, GitHub comments are being used to distribute Lumma Stealer, a password-stealing malware. The campaign was first reported by a contributor to the teloxide Rust library, who shared on Reddit that multiple GitHub comments, disguised as fixes, were actually pushing malware. BleepingComputer’s research revealed that thousands of similar comments were appearing across various projects.

The comments direct users to download password-protected archives containing malware-laden executables. These archives, often downloaded from MediaFire or bit.ly links, use the password "changeme" for extraction. Upon running the included file, identified as 'x86_64-w64-ranlib.exe', the Lumma Stealer malware is executed.

Lumma Stealer is designed to extract sensitive information such as cookies, credentials, credit card details, and browsing history from major web browsers like Chrome and Edge. The malware also targets cryptocurrency wallets and files containing private keys, passwords, and other valuable data.

Nicholas Sherlock, a reverse engineer, stated that over 29,000 malicious comments had been posted over three days. While GitHub staff is actively removing these comments, several users have already reported falling victim to the attack.

Those who have unknowingly executed the malware are advised to change passwords on all accounts. When establishing new passwords, users are encouraged to abide by the golden rules to ensure password strength. Furthermore, it is crucial to move cryptocurrency to new wallets immediately. Some of the safest and most widely used cryptocurrency wallets can be found in this article.

A similar campaign by the Stargazer Goblin threat actors, disclosed by Check Point Research last month, used fake GitHub accounts to create a malware Distribution-as-a-Service (DaaS). It remains unclear whether these two campaigns are linked or if they involve different threat actors.

About the Author

Anka Markovic-Borak is a writer and quality assessor at vpnMentor, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching vpnMentor's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address