Water Curse Campaign Exploits GitHub Trust With 76 Weaponized Repositories Targeting Developers

The cybersecurity landscape faces a new kind of threat — one that does not come from shadowy dark web forums or phishing emails, but from the very platforms developers trust most. On June 16, 2025, Trend Micro exposed a sophisticated threat actor dubbed Water Curse, which has weaponized at least 76 GitHub accounts to deliver multi-stage malware through seemingly legitimate open-source repositories. The campaign represents a troubling evolution in supply chain attacks, one that directly impacts the crypto and blockchain developer community.

The Exploit Mechanics

Water Curse operates by cloning and modifying legitimate open-source projects, embedding malicious payloads within Visual Studio project configuration files. When a developer downloads and compiles the project, the malicious code executes during the build process — specifically through a snippet embedded inside the <PreBuildEvent> tag. This triggers a Visual Basic Script (VBS) that initiates a complex infection chain.

The VBS script then drops and executes obfuscated PowerShell scripts, which download encrypted archives and extract Electron-based applications. The malware performs extensive system reconnaissance, employing anti-debugging techniques, privilege escalation methods, and persistence mechanisms such as scheduled tasks and registry modifications. The initial access vector exploits GitHub’s codeload.github.com domain — the standard endpoint for repository archiving — making the downloads appear entirely legitimate to both users and security tools.

Two notable weaponized repositories identified by Trend Micro include an SMTP Email Bomber tool and Sakura-RAT, a remote administration tool. Both were presented as legitimate penetration testing utilities, targeting red teams, security professionals, and developers who frequently rely on open-source tooling. Bitcoin traded at approximately $106,796 on the day of the disclosure, with the broader crypto market capitalization hovering around $3.3 trillion — a tempting pool of value for financially motivated threat actors.

Affected Systems

The primary targets span three distinct communities: cybersecurity professionals and penetration testers, game developers, and DevOps teams. Water Curse’s malware enables credential theft, browser data exfiltration, session token harvesting, and remote access — all of which are particularly dangerous for anyone managing cryptocurrency wallets or exchange accounts on the same machine.

Evidence suggests that related GitHub accounts and activity date back to March 2023, indicating a long-running, patient operation. The group employs a diverse toolkit including PowerShell, JavaScript, C#, VBS scripts, and compiled PE binaries, suggesting a well-resourced operation with cross-functional development capabilities. Data staging and exfiltration activities use 7-Zip compression and communicate with multiple external domains for both payload delivery and data upload.

The Mitigation Strategy

For developers and security teams, the Water Curse campaign demands a fundamental reassessment of how open-source tools are consumed. Organizations should implement strict code review processes for any third-party repositories, particularly those related to security testing or system administration. Build files, scripts, and project configuration files should be inspected for anomalous commands before compilation.

Enterprises should deploy endpoint detection and response solutions capable of identifying suspicious build-time executions. Trend Micro’s Vision One platform has been updated to detect and block the indicators of compromise associated with Water Curse. Additionally, network monitoring tools should flag unusual outbound connections to unknown domains during or after software builds.

Cryptocurrency users and developers should maintain strict separation between development environments and wallet management. Hardware wallets should be used for any significant holdings, and development machines should never store exchange credentials or private keys in browser sessions or configuration files.

Lessons Learned

Water Curse underscores a growing trend in the cybersecurity space: the blurring of lines between legitimate red team tooling and active malware distribution. The campaign exploits the fundamental trust that developers place in open-source ecosystems, turning GitHub — the world’s largest code hosting platform — into a delivery mechanism for sophisticated malware.

The financial motivation behind the campaign is clear. With session hijacking and credential theft capabilities, attackers can potentially access cryptocurrency exchange accounts, wallet extensions, and DeFi platforms. The group’s observed behaviors indicate goals such as credential theft, session hijacking, and the resale of illicit access — all of which have direct implications for the digital asset ecosystem.

User Action Required

Anyone who has recently downloaded open-source security tools, penetration testing utilities, or remote administration tools from GitHub should immediately scan their systems for indicators of compromise. Check for unexpected scheduled tasks, suspicious processes, and unauthorized outbound network connections. Rotate credentials for any accounts that may have been accessible from potentially compromised machines, and enable two-factor authentication on all cryptocurrency-related accounts.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.