Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 327, Issue 3IT Vendor NewsTrend Micro

Clone, Compile, Compromise: Water Curse'S Open-Source Malware Trap On GitHub

Trend Micro, Monday, June 16th, 2025

The Trend Micro Managed Detection and Response team uncovered a threat campaign orchestrated by an active group, Water Curse. The threat actor exploits GitHub, one of the most trusted platforms for open-source software, as a delivery channel for weaponized repositories.

A newly identified threat actor, Water Curse, is using weaponized GitHub repositories to deliver multistage malware. At least 76 GitHub accounts are linked to the campaign, with malicious payloads embedded in build scripts and project files.

The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems. Water Curse's campaign poses a supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams relying on open-source tooling.

Audit open-source tools used by red teams, DevOps, and developer environments, especially those from GitHub. Validate build files, scripts, and repository histories before use.

Trend Vision One detects and blocks the IOCs discussed in this blog. For further guidance on how Trend Micro solutions can help gain rich context on threats like Water Curse, see the later section of this report.

more →  ·  More from Trend Micro →