What's Happening?
A threat actor has established a network of over 200 GitHub repositories to distribute Windows malware, as reported by supply chain protection provider Socket. This operation, named 'Operation Muck and Load,' involves 222 lure repositories across 190
accounts, utilizing a Go module to initiate the malware infection chain. The module masquerades as a DNS/subdomain scanning tool based on the legitimate dnsub open source project. Since January 2026, the threat actor has released over 1,200 versions of the package, with 700 identified as malicious. The module executes PowerShell code to fetch a resolver from public dead drops, leading to the deployment of various malware types, including spyware, trojan downloaders, infostealers, and cryptominers. The operation uses multiple public platforms to host encrypted resolver material, ensuring operational resilience.
Why It's Important?
This development highlights significant vulnerabilities in open-source platforms like GitHub, which can be exploited for large-scale malware distribution. The operation's ability to use public platforms for hosting malicious payloads underscores the challenges in securing software supply chains. This poses a threat to developers and organizations relying on open-source tools, potentially leading to data breaches and financial losses. The incident emphasizes the need for enhanced security measures and vigilance in the software development community to prevent similar attacks.
What's Next?
The cybersecurity community is likely to increase efforts to detect and mitigate such threats. GitHub and other platforms may implement stricter monitoring and verification processes to prevent the misuse of their services. Developers and organizations are expected to adopt more robust security practices, including regular audits and the use of advanced threat detection tools, to safeguard against supply chain attacks.













