Hexastrike Blog
Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC
Executive Summary After someone impersonated one of our recent projects, PyrsistenceSniper, on GitHub, we uncovered a broader malware distribution campaign built around cloned open source repositories. The operator copies legitimate projects, republishes them under different accounts, strips the README of its technical content, and replaces it with prominent download buttons. Those buttons point to ZIP files hidden inside the repository tree rather than to GitHub releases or tagged source packages. The source code is usually left mostly intact. That is what
Reddit TradingView Lures Leading to Vidar and AMOS Stealers
While handling recent stealer infections, we traced the initial compromise back to Reddit. A threat actor had been operating across several subreddits, some hijacked from legitimate communities and others purpose-built, using a mix of compromised and freshly created Reddit accounts to push malicious software disguised as cracked TradingView Premium builds. Based on overlapping language patterns, shared infrastructure and nearly identical post templates, we assess with high confidence that a single threat actor is behind this campaign. The infection chain itself
Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK
Executive Summary On March 27, 2026 at roughly 03:51 UTC, threat actor TeamPCP uploaded two malicious versions (4.87.1 and 4.87.2) of the telnyx Python SDK to PyPI. The package pulls approximately 750,000 monthly downloads, and the blast radius extends well beyond the package itself to every downstream project that depends on it. PyPI quarantined both versions after roughly four hours of exposure. The attack is surgical. A small amount of malicious code was injected into the package, and it executes