Fake GitHub & SourceForge Installers Distribute Deno‑Based RAT (DinDoor)
What Happened
Attackers uploaded counterfeit installers and plugins that masquerade as popular AI, audio‑production, and gaming tools on GitHub and SourceForge. Compromised YouTube channels funnel users to these repositories, where malicious MSI files or PowerShell scripts install the Deno JavaScript runtime via Scoop or WinGet and drop the DinDoor backdoor—a stealthy remote‑access Trojan capable of executing additional payloads and exfiltrating browser data, crypto‑wallet credentials, and other application data.
Why It Matters for TPRM
- Supply‑chain risk: Legitimate code‑hosting platforms are being abused to deliver malware, undermining trust in open‑source distribution channels.
- Detection evasion: Use of the Deno runtime (and Bun) bypasses many traditional AV/EDR signatures that focus on Node.js or native binaries.
- Data exposure: The RAT can harvest sensitive credentials and exfiltrate them via a peer‑to‑peer channel that leverages Microsoft Edge, increasing the attack surface for downstream vendors.
Who Is Affected
- AI‑tool developers and users (e.g., ChatGPT, Claude, AutoTune)
- Audio‑software vendors and creators (Ableton Live, Kontakt, etc.)
- Gaming and multimedia developers (GearUP, other indie tools)
- Enterprises that allow employees to download and install software from public repositories (tech, media, finance, gaming, education)
Recommended Actions
- Audit any third‑party tools sourced from GitHub, SourceForge, or similar public repos; enforce signed‑installer policies.
- Validate endpoint monitoring for unexpected Deno or Bun runtimes and for Scoop/WinGet activity.
- Request detailed incident‑response disclosures from affected vendors and update your supply‑chain risk registers.
- Educate users about the danger of “unofficial” installers promoted via YouTube or other social channels.
Technical Notes
- Attack vector: Malicious MSI/PowerShell scripts hosted on GitHub/SourceForge, delivered via compromised YouTube links; installation of Deno via Scoop or WinGet.
- CVEs: None reported in the public analysis.
- Data types exposed: Browser cookies/password stores, cryptocurrency wallet files, application configuration data, and any files the RAT can access on the compromised host.
Source: https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat