200+ GitHub Repos Caught Spreading Windows Malware in Coordinated Attack
Discover "Operation Muck and Load": a malware campaign using GitHub repositories to spread Windows threats via hidden payloads.
By
Content Team
ON THIS PAGE
Want more insights like this?
Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.
By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.
Security firm Socket has uncovered "Operation Muck and Load" — a campaign using 222 GitHub repositories across 190 accounts to distribute Windows malware. Active since January 24, 2026, the threat actor published over 1,200 package versions, 700 of which are malicious.
The attack disguises a Go module as a legitimate DNS scanning tool. Hidden PowerShell code then pulls encrypted payloads from dead-drop platforms including Pastebin, YouTube, Instagram, Telegram, and Google Docs — making it harder to shut down.
Final payloads include AsyncRAT, Quasar RAT, Vidar infostealer, and XMRig cryptominers. GitHub users pulling Go dependencies are directly at risk.
Source: SecurityWeek
Have questions about protecting your software?
Our escrow experts are standing by to help.
Book a free demo