A massive network of fake GitHub accounts, dubbed the “Stargazers Ghost Network,” has been uncovered by cybersecurity researchers at Check Point. The network, which comprises around 3,000 “ghost” accounts, has been secretly manipulating pages on the code-hosting website to promote malware and phishing links.
According to the researchers, the network has been active since at least June last year, and is believed to be the work of a single cybercriminal, known as “Stargazer Goblin.” This individual has been using the network to host malicious code repositories on GitHub, which is the world’s largest open-source code website.
The network’s modus operandi involves using fake accounts to “star,” “fork,” and “watch” the malicious pages, making them appear popular and genuine. This tactic, which is similar to liking, sharing, and subscribing, helps to boost the pages’ visibility and credibility. The more stars a page has, the more realistic it looks, making it easier to deceive unsuspecting users.
The researchers, led by Antonis Terefos, a malware reverse engineer at Check Point, discovered the network while investigating instances of the Atlantida Stealer malware. They found that the network was spreading malicious GitHub repositories that offered downloads of social media, gaming, and cryptocurrency tools, mostly targeting Windows users.
While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform.
The operator behind the network is believed to be charging other hackers to use their services, which Check Point calls “distribution as a service.” The network has been spotted sharing various types of ransomware and info-stealer malware, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer.
GitHub has taken steps to address the issue, disabling user accounts that violate its Acceptable Use Policies. The company’s vice president of security operations, Alexis Wales, stated that GitHub has teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.
The discovery of the Stargazers Ghost Network highlights the ongoing challenge of securing open-source software platforms like GitHub, which have become a popular target for cybercriminals and hackers. With over 100 million users and 420 million repositories, the platform’s sheer size and complexity make it a difficult task to detect and remove malicious content.
In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.