Executive Summary

On February 17, 2026, a software supply chain attack was discovered on GitHub, leveraging a malicious fork of a legitimate open-source project to distribute malware. An attacker, using the GitHub account 'JaoAureliano,' created a deceptive clone of 'Triton,' a known macOS client for the omg.lol service. The malicious repository was designed to trick developers and users into downloading a trojanized ZIP file named Software_3.1.zip. In a classic bait-and-switch, the payload within the ZIP file was not the macOS application but malware targeting the Windows operating system. This attack demonstrates how threat actors exploit the trust and collaborative nature of open-source platforms to propagate their malware.

Threat Overview

This attack is a clear example of typosquatting and brandjacking within the software supply chain. The threat actor's process was as follows:

1. Identify Target: The attacker chose a legitimate, niche open-source project ('Triton') with a positive reputation.
2. Fork and Clone: They created a fork or clone of the original repository under a new, similar-sounding account ('JaoAureliano').
3. Trojanize: The attacker did not modify the source code itself. Instead, they added a malicious ZIP file to the repository's 'releases' or linked it prominently in the README file.
4. Lure: The README was crafted to look legitimate, encouraging users to download the pre-compiled Software_3.1.zip for convenience.
5. Payload Mismatch: The downloaded ZIP contained a Windows executable, despite the project being for macOS. Unsuspecting users who might run this on a Windows machine (or in a VM) would become infected.

This technique preys on users who prefer to download pre-built binaries rather than compiling from source, a common practice for many.

Technical Analysis

MITRE ATT&CK TTPs

• T1195.001 - Compromise Software Dependencies and Development Tools: This is a classic supply chain attack that compromises a software distribution channel (a GitHub repo).
• T1566 - Phishing: While not email-based, the deceptive GitHub repository acts as a phishing lure for developers.
• T1204.002 - Malicious File: The attack relies on the user downloading and executing the trojanized ZIP file.
• T1027 - Obfuscated Files or Information: The malware within the ZIP file was likely obfuscated to evade antivirus detection.

Impact Assessment

The primary impact is the infection of Windows machines belonging to users who fell for the trap. The consequences depend on the nature of the delivered malware, which could be anything from an infostealer or a credential harvester to a ransomware dropper or a botnet agent. This type of attack also erodes trust in the open-source ecosystem, making developers and users more hesitant to use forked or less-known repositories. For the legitimate 'Triton' project, it can cause reputational damage through false association.

Detection & Response

• Source Code vs. Binaries: When using open-source software, always be suspicious of pre-compiled binaries, especially from unofficial forks. Whenever possible, review the source code and compile it yourself.
• Reputation Checks: Check the reputation of the GitHub account. A brand new account with only one forked repository should be considered suspicious.
• Antivirus/EDR: A modern endpoint security solution should be able to detect and block the execution of the known malware within the ZIP file. This is an application of D3FEND's D3-FA - File Analysis.
• File Hashing: Compare the hash of any downloaded binary against official hashes provided by the legitimate project maintainers, if available.

Mitigation

• Developer and User Education: Train developers and users on the risks of software supply chain attacks. Emphasize the importance of verifying the source of any downloaded code or binary. This is a form of M1017 - User Training.
• Use Official Sources: Only download software from the official, original repository of the project. Avoid forks unless you have a specific reason and have reviewed them carefully.
• Automated Scanning: Integrate security scanning tools into the development pipeline that can analyze dependencies and flag suspicious code or binaries. This can be part of D3FEND's D3-DA - Dynamic Analysis of software components.
• Code Signing: Legitimate software projects should use code signing to provide users with a way to verify the authenticity and integrity of their distributed binaries.