Hackers Are Impersonating Security Tools to Hack Security Professionals
New supply chain attack uses dormant GitHub accounts to distribute PyStoreRAT malware disguised as OSINT tools.
Attackers are reactivating GitHub accounts that have been dormant for years, giving them instant credibility. They populate these accounts with AI-generated “security tools”—cryptocurrency bots, GPT wrappers, OSINT utilities—that look polished and legitimate.
These repositories climb GitHub’s trending lists, putting them right in front of IT admins and security researchers. Once they gain traction and stars, attackers push a “maintenance update” that contains PyStoreRAT—a JavaScript/HTA backdoor designed for long-term persistence.
The malware profiles your system, deploys the Rhadamanthys stealer to exfiltrate credentials, and spreads via USB drives. It actively detects security tools like CrowdStrike Falcon and changes its execution technique to avoid detection.
The C2 infrastructure uses rotating nodes, making takedowns difficult. Codebase contains Russian strings, suggesting specific targeting or origin.
Security professionals getting hacked by fake security tools is like a locksmith getting robbed by someone selling fake locks.
If you download tools from GitHub:
Verify repository ownership and commit history
Check when the account was created vs when the repo appeared
Look for sudden activity spikes after long dormancy
Run tools in sandboxed environments first
Everyone else:
Enable behavior-based detection (not just signature-based AV)
Monitor for unusual USB drive activity
Review what GitHub repos your team is cloning
Implement application whitelisting on critical systems
If a “security tool” appears on trending overnight with AI-generated docs, it’s probably not a security tool.
Attackers know security professionals trust GitHub and download tools constantly.
They’re weaponizing that trust by creating convincing fakes that pass the eye test—until you run them.
The irony? The people building security defenses are being targeted with supply chain attacks disguised as security tools.
— Alex