Banana Squad is a cybercriminal group known for distributing malware by disguising malicious code within fake GitHub repositories that appear to be legitimate hacking tools, primarily written in Python. The group was first identified by Checkmarx researchers in October 2023 and has been active since at least April 2023.
Their attack method involves creating numerous fake project folders (repositories) on GitHub, each often under a unique username, with the sole purpose of distributing malware. These repositories are designed to mimic real hacking tools but are actually “trojanized”—meaning they contain hidden malicious code intended to steal sensitive data. This data includes information from computers, applications, web browsers, and even cryptocurrency wallets by redirecting funds.
Banana Squad’s campaigns have resulted in the distribution of hundreds of malicious software packages, which were downloaded nearly 75,000 times before being discovered and removed. The group uses various tactics to evade detection, such as leveraging GitHub features like long lines of code that do not wrap, making malicious scripts harder to spot.
Their primary targets include developers, red teams, and novice cybercriminals—groups likely to seek out open-source hacking tools. The group’s activity reflects a broader trend of supply chain compromise, where attackers exploit trusted platforms and tools to distribute malware.
Banana Squad’s name is derived from an early malicious internet address, bananasquadru. Their campaigns are notable for their stealth and the scale of their operations, with over 60 fake repositories identified in recent investigations
