New Malvertising Campaign Exploits GitHub Repositories to Distribute Malware

A sophisticated malvertising campaign has been uncovered targeting unsuspecting users through “dangling commits” in a legitimate GitHub repository.

Attackers are injecting promotional content for a counterfeit GitHub Desktop installer into popular development and open-source projects.

When users download what appears to be the genuine client, the installer quietly delivers malicious payloads in the background, compromising systems without raising immediate suspicion.

Security researchers first observed the campaign when monitoring web traffic for unusual advertising redirects.

Victims clicking on malvertising banners were redirected to compromised pages offering an updated GitHub Desktop client build.

Instead of fetching the official installer, these pages served a dropper masquerading as “GitHubDesktopSetup-x64.exe.” Execution of the dropper triggers a multi-stage process: it launches a Windows Script Host (wscript.exe) script, which in turn executes PowerShell commands to load and run a malicious DLL payload via svchost.exe.

The payload establishes persistent communication with a ...