The Reveal Platform
Intel Name: Clone, compile, compromise: water curse’s open-source malware trap on github
Date of Scan: June 20, 2025
Impact: Medium
Summary: Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools. Linked to at least 76 GitHub accounts, the campaign includes tools such as an SMTP email bomber and Sakura-RAT, which were presented as legitimate penetration testing utilities but contained hidden malicious payloads embedded within their Visual Studio project configuration files. The malware enables data exfiltration, remote access, and persistent system control through complex infection chains using obfuscated VBS and PowerShell scripts. Targeting cybersecurity professionals, game developers, and DevOps teams who trust open-source software, this campaign poses a significant supply chain risk and underscores the need to thoroughly audit and validate open-source tools before use.
