```html ``` Arctic Wolf Named 292 Fake GitHub Repos Yesterday. We Built the Hunter Overnight and It Flagged Nine More on the First Run. Here's the Method — Steal It.
top of page

Arctic Wolf Named 292 Fake GitHub Repos Yesterday. We Built the Hunter Overnight and It Flagged Nine More on the First Run. Here's the Method — Steal It.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 20 hours ago
  • 4 min read

Yesterday Arctic Wolf published a campaign: 292 fake GitHub repositories impersonating trusted software, delivering an infostealer. Good research, and we credited it. But there are two ways to consume a report like that. You can read it, nod, and file it — which means the next 292 repos catch you exactly the same way. Or you can ask the more useful question: if a vendor found this class by hunting for it, why am I not hunting for it too? We asked that last night, built the hunter this morning, and on its first real run it flagged nine live fakes the report never mentioned. This post is the method, and the method is yours to take.



Why You Cannot Hunt This by Name


The obvious approach is to search GitHub for "ledger installer" or "proton vpn download" and block whatever comes back. Do that and you will drown. Legitimate helper scripts, community mirrors, and real tooling use those exact words. The name of a repo is a candidate generator, not a verdict. If you flag on the string, you cry wolf, your team stops listening, and the one real fake hides in the noise you created. We learned this the hard way on the package side months ago: a name carries almost no signal on its own. The signal is in the behavior.


So the hunter uses the brand name only to gather candidates, and then it scores each candidate on what it actually does. Here are the tells that matter.



The Behavioral Tells


The strongest single tell is what we call the org-stage pattern. A brand-new GitHub organization whose only content is a special repository named .github, which GitHub renders as a slick landing page with a download button. Real vendors do not stage their installer in a stranger's freshly-created org profile. Arctic Wolf's campaign used exactly this — a fake "Arctic-Wolf-Security" org — and when we pointed our hunter at crypto and VPN brands it lit up on the same shape: a Ledger org, a Trezor org, a Proton VPN org, each one days old, each one a .github landing page, none of them the real company.


The other tells stack on top of that. Freshness — a repo created in the last few weeks, because these operations burn and rebuild constantly. The throwaway shape — zero stars, zero forks, no genuine history, because nobody uses them for anything but the lure. The README that routes you off GitHub — a download link pointing at a domain that is not github.com, which is the moment the victim leaves the trusted platform and walks into the payload. Sketchy file hosts and archive passwords in the README, the tells of malware that does not want to be scanned. And brand mismatch — a repo named for Trezor whose text talks about Ledger, the fingerprint of a single kit cloned across a dozen brands. No single tell convicts. Three or four of them stacked is a fake, and the machine can weigh that in the time it takes to read a search result.


That weighing is the whole game. If AI is the room full of monkeys typing, the behavioral score is the jolt that only fires on signal — you do not wait for the monkey to type Hamlet, you shock it the instant the tell appears. Candidates are cheap. The verdict is the craft.



What It Caught


On its first run against six brands, the hunter returned nine repositories it scored as blocks, every one of them fresh and every one of them wearing the org-stage pattern: fake Ledger, Trezor, MetaMask-adjacent, Proton VPN, and Exodus wallet orgs, the oldest of them under two months old, most under three weeks. These are not in Arctic Wolf's 292. They are the next batch, live right now, and we have written every one of them into our own indicator feed so that anyone pulling it inherits the catch. That is the point of persisting novel data instead of just printing it: a finding that lives only in a console is a finding that helped nobody.


We are being honest about the confidence, as always. The hunter flags candidates with a defensible behavioral score; a human should confirm before filing an abuse report, and we cap our certainty at the honest ninety-five percent because the last five percent is where the odd legitimate mirror lives. But a scored, prioritized queue of nine likely-fakes that a person can verify in a minute each is a categorically different thing from a vendor report you read after the damage is done.



Hunt the Brands That Matter — Then Give It Away


A hunter is only as useful as the brands you point it at. We are pointing ours at the roster we already audit for AI perception — the leaderboard on our AIPM product — and widening it to the Fortune 500 plus the software brands that actually get impersonated for installer malware: the wallets, the VPNs, the security tools, the developer tools. That combination is deliberate. It means a defender at a large enterprise, a security vendor, or a wallet maker can look up their own name and find that we are already watching for the fakes that wear it. The broader that coverage, the more useful the feed, and the more useful the feed, the more reason to use it instead of finding out from an incident.


And the method itself is not proprietary. Gather candidates by brand. Score them on the org-stage pattern, freshness, the throwaway shape, the off-GitHub download link, and the brand mismatch. Verify the top of the queue by hand. Report the confirmed fakes to GitHub and write them into whatever blocklist your infrastructure reads. You can build that in an afternoon, because we did, and if you would rather not, our feed already carries the ones we have found. Take the method or take the feed. Either way, stop reading about the fakes after they have worked, and start finding them while they are still empty.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page