Over 200 GitHub repos used to distribute Windows malware

Operation Muck and Load used 222 GitHub repositories and a malicious Go module that loads PowerShell to fetch payloads from public dead drops.
Supply chain protection firm Socket reported a network of 222 GitHub repositories across 190 accounts delivering Windows malware in a campaign it calls Operation Muck and Load. The repositories hosted a Go module presented as a DNS and subdomain scanning tool based on the legitimate dnsub project.
Socket found more than 1,200 published versions of the package since January 24, 2026; roughly 700 contained malicious code. The firm linked the high version count to an automated GitHub Actions workflow that repeatedly generated timestamp commits appearing as Go pseudo-versions.
Socket wrote: “The likely cause is not normal release engineering, but the threat actor’s own GitHub Actions workflow repeatedly generating timestamp commits that could be surfaced as Go pseudo-versions.”
The Go module hides a PowerShell command that runs before any scanning logic. The command is obscured with excessive horizontal whitespace and fetches a PowerShell script. That script retrieves a resolver from public dead drops; the resolver acts as a downloader, extractor and launcher.
The resolver locates encrypted payload metadata, decrypts a URL, downloads a password-protected archive, extracts its contents and executes them. The PowerShell is executed in a way intended to bypass Windows script-execution policy checks.
Rather than a single host, the actor mirrored encrypted resolver material across multiple public services to improve resilience. Socket identified Pastebin, Rlim, Muck-themed infrastructure, YouTube, Instagram, Telegram, Google Docs and GitCode as dead-drop locations embedded in the scripts.
Observed final-stage payloads include remote access trojans, infostealers and Monero miners. Socket confirmed at least 14 unique malware files, including trojan loaders and downloaders, the Vidar infostealer, dropper and spyware payloads, AsyncRAT and Quasar RAT families, Remcos-style RATs and Monero-mining binaries linked to XMRig and BitMiner campaigns.
Most repositories acted as lures that triggered the malicious chain when the Go module was used, but Socket also found repositories that embedded malware in source trees or included malicious binaries as GitHub release assets. The firm linked the campaign to activity associated with the email address ‘ischhfd83’ and to Muck-themed domains.
Socket discovered and documented the operation and provided a step-by-step analysis of the infection sequence, the mirrored dead-drop approach and the range of final-stage payloads.








