Lumma Stealer Malware Campaign Uses GitHub to Target VPN Users

Cybercriminals are using GitHub to spread malware disguised as a free VPN download, tricking users into installing Lumma Stealer malware.

Security researchers at Cyfirma uncovered the campaign, which delivered malware labeled as “Free VPN for PC” via a public GitHub repository. Once installed, the file deployed Lumma Stealer, a known info-stealing malware.

The campaign also used another lure: a file called “Minecraft Skin.” This shows the attacker’s intent to target different user groups, from privacy-focused adults to younger gamers.

GitHub used as a trusted malware delivery tool

This attack highlights a growing trend where legitimate platforms are exploited to host malware. GitHub, known for open-source collaboration, is being used for more than just code sharing.

By hiding malware behind trusted-looking repositories, attackers take advantage of GitHub’s reputation to avoid detection. The Lumma Stealer variant in this case used GitHub as its initial distribution vector, then executed system-level scripts once downloaded.

This isn’t the first time Lumma has appeared. Users have also encountered it in YouTube videos advertising cracked software and in fake CAPTCHA prompts that trick users into running malicious code.

What is Lumma Stealer?

Hackers wrote Lumma Stealer in C and sell it on the dark web as a malware-as-a-service product. They charge $140–$160 per month and distribute it through Telegram channels and underground forums.

In May, the US Justice Department and Microsoft shut down over 2,300 malicious domains tied to LummaC2 operations. Still, the malware remains a serious threat.

How to avoid Lumma Stealer infections

• Avoid suspicious links: Phishing emails and messages often contain malicious URLs.
• Don’t download pirated content: Malware often hides in games, ebooks, and cracked software.
• Use antivirus software: Real-time protection helps detect and block malware.
• Never run unknown commands: Lumma often tricks users into using the command line.
• Enable 2FA: This adds a layer of security if your credentials get stolen.