Retro gaming fans are the new target for fake GitHub malware

Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console.

We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer.

The project, called EQVita, looks like a normal homebrew plugin. It has a polished README, a download button, screenshots, and a tidy layout. But the file you download doesn’t contain anything for a Vita at all. It contains three Windows files, and the harmless-looking text file among them is actually a hidden script that quietly connects to the attacker’s server once you run it.

This isn’t a one-off. Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer. The EQVita download uses the same method, repackaged to appeal to retro gaming fans.

Take a look at the comparison below. On the left we have a fake GitHub repository, on the right a real one.