A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

Cybersecurity company ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.

In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page.