HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fake GitHub & SourceForge Installers Distribute Deno‑Based RAT (DinDoor)

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
HIGH
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
malwarebytes.com

Fake GitHub & SourceForge Installers Distribute Deno‑Based RAT (DinDoor)

What Happened

Attackers uploaded counterfeit installers and plugins that masquerade as popular AI, audio‑production, and gaming tools on GitHub and SourceForge. Compromised YouTube channels funnel users to these repositories, where malicious MSI files or PowerShell scripts install the Deno JavaScript runtime via Scoop or WinGet and drop the DinDoor backdoor—a stealthy remote‑access Trojan capable of executing additional payloads and exfiltrating browser data, crypto‑wallet credentials, and other application data.

Why It Matters for TPRM

  • Supply‑chain risk: Legitimate code‑hosting platforms are being abused to deliver malware, undermining trust in open‑source distribution channels.
  • Detection evasion: Use of the Deno runtime (and Bun) bypasses many traditional AV/EDR signatures that focus on Node.js or native binaries.
  • Data exposure: The RAT can harvest sensitive credentials and exfiltrate them via a peer‑to‑peer channel that leverages Microsoft Edge, increasing the attack surface for downstream vendors.

Who Is Affected

  • AI‑tool developers and users (e.g., ChatGPT, Claude, AutoTune)
  • Audio‑software vendors and creators (Ableton Live, Kontakt, etc.)
  • Gaming and multimedia developers (GearUP, other indie tools)
  • Enterprises that allow employees to download and install software from public repositories (tech, media, finance, gaming, education)

Recommended Actions

  • Audit any third‑party tools sourced from GitHub, SourceForge, or similar public repos; enforce signed‑installer policies.
  • Validate endpoint monitoring for unexpected Deno or Bun runtimes and for Scoop/WinGet activity.
  • Request detailed incident‑response disclosures from affected vendors and update your supply‑chain risk registers.
  • Educate users about the danger of “unofficial” installers promoted via YouTube or other social channels.

Technical Notes

  • Attack vector: Malicious MSI/PowerShell scripts hosted on GitHub/SourceForge, delivered via compromised YouTube links; installation of Deno via Scoop or WinGet.
  • CVEs: None reported in the public analysis.
  • Data types exposed: Browser cookies/password stores, cryptocurrency wallet files, application configuration data, and any files the RAT can access on the compromised host.

Source: https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat

📰 Original Source
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →