Researchers at Huntress recently uncovered a campaign where attackers created fake GitHub repositories impersonating a legitimate open-source AI tool. The fake repos pushed Vidar and AMOS infostealers along with proxy malware. Microsoft Bing’s AI search was surfacing these fraudulent repos as top results for users searching for the software by name.

The attack worked because GitHub carries inherent trust. A repo looks legitimate. The name looks right. The install instructions look normal. Nobody checks the source.

This is the supply chain problem in its most basic form: the attacker did not need to breach anything. They just needed to look convincing long enough for someone to run an installer.

Two things worth noting. First, the initial download from a fake repo is exactly the kind of outbound connection that contextual traffic monitoring catches — unexpected destinations, unusual geo attribution, software phoning home to infrastructure it has no business reaching. Second, the proxy malware installed alongside the infostealer routes attacker traffic through the victim’s network. That east-west lateral traffic is invisible to perimeter tools and very visible to inline network monitoring.

The breach did not start with a firewall failure. It started with a search result.

Source: BleepingComputer — Fake OpenClaw GitHub Repos Pushing Info-Stealing Malware, March 2026