200-plus impressively convincing GitHub repos are serving up malware

Infosec bytes Kaspersky says it has found more than 200 GitHub repos hosting fairly convincing-looking fake projects laced with malicious software.

The Russian infosec house reckons the rotten repositories are evidence of a campaign that’s run for two years and attempts to fool developers and other netizens with projects that look authentic as they list “tens of thousands” of commits and include multi-language README.MD files.

The repositories purport to offer code for Instagram aggregators, game cheats, and Telegram bots. However, they include software for stealing information and passwords, trojan malware, and code designed to hijack crypto wallets within those projects when run.

Kaspersky believes the crew behind the campaign, which it’s named GitVenom, has already stolen nearly $500,000 from victims. It appears to us that at least some of the malicious repos have been taken down now. Hashes and other things to look out for to avoid falling prey to one of these infected projects are listed here.

DOGE workers quit over security fears

More than 20 staff at the US Digital Service – the government body renamed to form Elon Musk's cost-slashing Department of Government Efficiency, aka DOGE – have quit, citing concerns that the work they have been asked to undertake imperils security and is pointlessly destructive.

The staffers reportedly sent a joint resignation letter that states: “DOGE’s actions — firing technical experts, mishandling sensitive data, and breaking critical systems — contradict their stated mission of ‘modernizing Federal technology and software to maximize governmental efficiency and productivity’."

“We will not use our skills as technologists to compromise core government systems, jeopardize Americans’ sensitive data, or dismantle critical public services,” the missive adds.

The workers feel the work they’ve been asked to do since the USDS became DOGE is incompatible with the agency’s mission, and their obligations to offer bi-partisan service.

The letter also reportedly details how Musk's operatives took over the USDS.

"Several of these interviewers refused to identify themselves, asked questions about political loyalty, attempted to pit colleagues against each other, and demonstrated limited technical ability," the staffers wrote. "This process created significant security risks."

Many of the staffers had left top jobs in the tech industry to join the service and smooth the course of government IT roll-outs. But they collectively said they could not stay and still "uphold our oath to the Constitution."

Also, it appears House Democrats have discovered internet-scanning service Shodan.io, judging by a letter [PDF] they've sent to President Trump demanding "a briefing from the leadership of DOGE" to explain how the unit is keeping federal systems it is involved with secure. The Dems have identified a bunch of public-facing web servers that they have concerns about, among other issues, such as who exactly has been given sudo-equivalent access to machines within Uncle Sam's sprawling IT jungle.

• MITRE Caldera security suite scores perfect 10 for insecurity
• Malware variants that target operational tech systems are very rare – but 2 were found last year
• Google binning SMS MFA at last and replacing it with QR codes
• Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps

LastPass tells you to turn it off and on again

Password manager provider LastPass has advised users to delete its current software and reinstall the latest version after its application appeared to be overstressing CPUs.

After several complaints from frustrated users who reported PC slowdowns, the software biz advised folks to upgrade to LastPass version 4.139.3. The issue has reportedly hit Windows 10 and 11 systems, as well as Macs.

At least one user complained this had been a problem for weeks. If readers have any problems let us know in the forums please.

CISA adds two flaws to the actively exploited list

CISA has added security vulnerabilities in Adobe and Oracle software to its must-patch list after learning of active exploitation attempts.

One of the bugs is CVE-2017-3066, a 2017-vintage Java deserialization hole in the Apache BlazeDS library used in older versions of ColdFusion.

The Oracle flaw under attack is CVE-2024-20953, a blunder in Oracle Agile PLM version 9.3.6.

Inclusion in CISA’s Known Exploited Vulnerabilities Catalog means federal agencies must fix them ASAP. ®