Start your day with intelligence. Get The OODA Daily Pulse.
A threat actor has built a network of over 200 GitHub repositories that have been delivering Windows malware, supply chain protection provider Socket reports. Dubbed Operation Muck and Load, the campaign involves 222 lure repositories across 190 accounts that contain a Go module designed to trigger the infection chain. The module, Socket explains, loads PowerShell code that fetches a resolver from public dead drops to execute Windows malware such as spyware, trojan downloaders, infostealers, and cryptominers. To deceive users, the Go module poses as a DNS/subdomain scanning tool built around the legitimate dnsub open source project. Since January 24, 2026, the threat actor has published over 1,200 versions of the package, 700 of which are malicious. “The likely cause is not normal release engineering, but the threat actor’s own GitHub Actions workflow repeatedly generating timestamp commits that could be surfaced as Go pseudo-versions,” Socket notes.
Full report : Network of 200 GitHub Repositories Used for Malware Infection.