That 'official' download you found on GitHub might be handing over your passwords
Search for a popular app - a crypto wallet, a security tool, a PDF editor - and one of the top results looks perfect: a tidy GitHub page, an official-looking logo, a big download button. GitHub is where real developers publish real software, so it feels trustworthy. That instinct is exactly what a campaign running since late June is built to abuse.
Researchers at Arctic Wolf counted at least 292 fake GitHub pages set up since June 26, each dressed up to impersonate a well-known brand - security products, crypto wallets and exchanges, finance apps, developer tools, secure email, even gaming software. They're tuned to rank in search results, so you find them by searching for the software you already wanted. The page's README carries a slick "secure download" link with fake trust badges, and it leads to a file that isn't the app at all.
What lands is a smash-and-grab infostealer: it runs once, scoops up everything it can and disappears. In a single pass it grabs saved passwords and cookies from more than 19 browsers, targets 41 cryptocurrency wallet locations, lifts Discord, Steam and Telegram logins, empties the Windows Credential Manager and even takes screenshots - then ships the lot to a server abroad.
A few habits keep you clear of it. Get software from the maker's own website, not whatever tops a search. Treat a brand-new GitHub repo with almost no history as suspect, and remember that a genuine installer never asks you to run an .exe straight out of a ZIP. Tendvane leans on the same principle: its app updates come through Windows' own package manager (winget) rather than random download pages, and its Safety check flags unexpected startup programs and browser add-ons if something ever does slip through.