GitHub Hunt: A Fake Cisco Exploit, Three Stealers, and a C2 Named PolyAgent

The Monday Hunt

We sweep GitHub for malware the way other people check email. Today's hunt found a fake exploit targeting security researchers, three infostealers published in the last 48 hours, and a C2 framework hiding behind 31 junk repos.

All reported to GitHub. All indexed in our STIX feed. Here's what's out there.

The Fake Cisco POC (Pattern 38)

Account: p3Nt3st3r-sTAr Created: March 2, 2026 — 15 days ago Repos: 5, all exploit proof-of-concepts

This account exists to backdoor security researchers. It publishes "proof of concept" code for critical CVEs — including CVE-2026-20131, the CVSS 10.0 Cisco FMC unauthenticated Java deserialization RCE that Cisco disclosed on March 4.

The pattern: researcher sees critical CVE. Researcher searches GitHub for POC. Researcher finds p3Nt3st3r-sTAr's repo. Researcher runs the code. Researcher is now compromised.

This is Pattern 38 — supply chain attacks through code repositories. We've been tracking this since December 2025. The target isn't random developers. The target is the people who respond to the vulnerability. The incident responders. The red teamers. The people with access to production systems.

The account also hosts "PoC-in-GitHub" — an auto-collector that aggregates exploit code from across the platform. That's the reconnaissance tool. Find the exploits, fork them, trojanize them, redistribute them.

We reported all 5 repos to GitHub.

Three Stealers in 48 Hours

BearHook — Published Today

Account: barobaro13 (0 followers, 2 repos) What: Memory-resident infostealer that exfiltrates via Discord webhooks

The description is honest: "creates a invisible door from the memory and steals the gainable simple information from the victim and sends it to the author with a discord webhook."

Memory-resident means it doesn't write to disk. Discord webhook means the stolen data goes to a chat channel the attacker controls. Standard kit for credential harvesting at scale.

CsStealer — Account 2 Days Old, Already Gaining Stars

Account: fulluhq (created March 15, 2026 — two days ago, 0 followers) What: Discord grabber/stealer with 2 stars already

Brand new account. No history. No followers. Two stars on a stealer in 48 hours. The stars aren't organic — they're either self-inflated or from a distribution network. When a zero-day-old account has stars on malware, someone is pushing it.

Stealer Mule — Created Yesterday

Account: yusifhaq755-dotcom (created March 16, 2026 — yesterday) What: 4 repos including multiple stealers

Created yesterday. Four repos. Multiple stealers. This is a mule account — create, upload, distribute, burn. Tomorrow there will be a new one.

PolyAgent — C2 in a Junk Drawer

Account: frosty-coder (created November 2024, 31 repos, 2 followers) What: "Cross-platform modular C2 framework for security research and Red Team operations"

The account has 31 repos. Most are junk — single-letter names, "kkkkkk", "pppppp", "mandem." Then it drops a cross-platform C2 framework. Also hosts GHOST-CLIENTS, dorknet, red-society, and vortex — an offensive tooling cluster hiding behind noise.

The bio says "tool, web and c2 developer." At least they're honest.

The Real Cisco Exploits

Separate from the fake POCs, legitimate exploit code exists for the Cisco FMC CVSS 10.0 vulnerabilities:

• Sushilsin/CVE-2026-20131 — Python RCE exploit for Java deserialization

• Sushilsin/CVE-2026-20079 — Python auth bypass exploit

• sak110/CVE-2026-20131 — Fork/clone

These appear to be genuine security research, not trojanized. But the existence of public RCE exploit code for a CVSS 10.0 vulnerability means the window between "advisory published" and "mass exploitation" just closed. If you haven't patched your Cisco FMC, the exploit is a GitHub search away.

What We Did

1. Reported all 4 malicious accounts to GitHub abuse

2. Indexed all 6 indicators in our STIX feed

3. Published this writeup

The IOCs are in the feed. If your SIEM pulls our STIX data, these GitHub URLs are now flagged. Your developers searching GitHub for exploit code will trigger a correlation if they hit a trojanized repo.

Block the Supply Chain

Your developers use GitHub. Your security team uses GitHub. Your CI/CD pipeline pulls from GitHub. The supply chain attack surface is the development environment itself.

Our STIX feed includes GitHub malware indicators — trojanized repos, malware distribution accounts, fake POCs. Pipe it into your SIEM, correlate against your proxy logs, and you'll know when someone on your network downloads from a flagged repository.

Five minutes to configure. Autonomous after that.

analytics.dugganusa.com/stix/pricing

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →