News
Hackers Turn SourceForge into Malware Delivery Vehicle in Cryptocurrency Scheme
<p class="" data-start="245" data-end="420">A fake Microsoft Office add-in project posted on SourceForge has been caught installing malware that mines and steals cryptocurrency from unsuspecting users, mostly in Russia.</p>
<p class="" data-start="422" data-end="566">The scheme abused SourceForge’s trusted platform to gain visibility and legitimacy, exposing over 4,600 machines to risk before being shut down.</p>
<h2 class="" data-start="568" data-end="617">SourceForge Exploited in Rare Malware Campaign</h2>
<p class="" data-start="619" data-end="868">It’s not every day you hear SourceForge mentioned in a cyberattack. The platform’s been around for years, loved by open-source communities for its transparency and accessibility. But those same features? Yeah, they left the door wide open this time.</p>
<p class="" data-start="870" data-end="1143">Kaspersky says it recently flagged a project masquerading as a Microsoft Office add-in tool—called &#8220;officepackage&#8221;—that tricked users into downloading malware. The project got indexed by search engines, so anyone Googling “office add-ins” could stumble right into the trap.And that’s exactly what happened.</p>
<p class="" data-start="1180" data-end="1382">More than 4,600 systems were compromised. Most of them were in Russia, but that doesn’t mean it couldn’t have spread further. It’s just that the campaign got caught relatively early, before it exploded.</p>
<p data-start="1180" data-end="1382"><a href="https://www.theibulletin.com/wp-content/uploads/2025/04/sourceforge-malware-attack-office-addins.jpg"><img class="aligncenter size-full wp-image-57181" src="https://www.theibulletin.com/wp-content/uploads/2025/04/sourceforge-malware-attack-office-addins.jpg" alt="sourceforge malware attack office addins" width="1196" height="820" /></a></p>
<h2 class="" data-start="1384" data-end="1428">The Bait: A Familiar-Looking Project Page</h2>
<p class="" data-start="1430" data-end="1493">So how did it work? Simple trick, really. But deadly effective.</p>
<p class="" data-start="1495" data-end="1736">The attackers cloned Microsoft’s legitimate GitHub project ‘Office-Addin-Scripts’ and put it on SourceForge under the name &#8220;officepackage.&#8221; They didn’t just copy the files—they lifted the project description, too. Basically, it looked legit.</p>
<p class="" data-start="1738" data-end="2018">Even worse, SourceForge gives every project owner access to a separate hosted webpage under a subdomain. The attackers used “officepackage.sourceforge.io” to build a convincing-looking landing page. It even had those familiar “Download” buttons you&#8217;d expect from a tool like this.</p>
<p class="" data-start="2020" data-end="2123">Click one of those? You get a zip file with a password-protected archive. Inside that archive: trouble.</p>
<h2 class="" data-start="2125" data-end="2164">Here&#8217;s Where Things Go Off the Rails</h2>
<p class="" data-start="2166" data-end="2302">The payload? An MSI file ballooned to 700MB. That’s not because it needed to be—nope. That’s just a sneaky way to dodge antivirus scans.</p>
<p class="" data-start="2304" data-end="2539">Once installed, this oversized file unpacks and runs a whole script chain that eventually downloads batch files from GitHub. Those scripts set up persistence, tweak registry settings, and install several sketchy components. Among them:</p>
<ul data-start="2541" data-end="2698">
<li class="" data-start="2541" data-end="2564">
<p class="" data-start="2543" data-end="2564">An AutoIT interpreter</p>
</li>
<li class="" data-start="2565" data-end="2623">
<p class="" data-start="2567" data-end="2623">A reverse shell tool masquerading as a Windows component</p>
</li>
<li class="" data-start="2624" data-end="2698">
<p class="" data-start="2626" data-end="2698">Two DLLs: one to mine cryptocurrency, the other to hijack clipboard data</p>
</li>
</ul>
<p class="" data-start="2700" data-end="2740">So yeah, it’s not just a one-trick pony.</p>
<h2 class="" data-start="2742" data-end="2784">Clipper and Crypto Miner: The Nasty Duo</h2>
<p class="" data-start="2786" data-end="2837">This is where the payload starts doing real damage.</p>
<p class="" data-start="2839" data-end="3023">One of the DLL files starts mining crypto—using your computer’s power, for someone else’s wallet. You won’t know until your fans start working overtime and your electricity bill jumps.</p>
<p class="" data-start="3025" data-end="3245">The second payload is sneakier. It’s called a “clipper.” Basically, it watches your clipboard. If you copy a crypto wallet address—say, to send money—it silently swaps it with the attacker’s address before you hit paste.</p>
<p class="" data-start="3247" data-end="3426">And if that wasn’t enough? The whole setup phones home via Telegram’s API. So the attacker gets your system info—and they can send more malicious files whenever they feel like it.</p>
<h2 class="" data-start="3428" data-end="3473">SourceForge Responds: We Shut It Down Fast</h2>
<p class="" data-start="3475" data-end="3557">The good news? SourceForge pulled the malicious project once they were made aware.</p>
<p class="" data-start="3559" data-end="3624">Logan Abbott, SourceForge’s President, told <em data-start="3603" data-end="3621">BleepingComputer</em>:</p>
<p class="" data-start="3627" data-end="3784">“There were no malicious files hosted on SourceForge&#8230; the malicious actor and project in question were removed almost immediately after it was discovered.”</p>
<p class="" data-start="3786" data-end="4001">He emphasized that all files on the main SourceForge.net domain are scanned for malware. Still, they’ve tightened things up—project subdomains can no longer link to shady external files or use redirects. That’s new.</p>
<p class="" data-start="4003" data-end="4049">Here’s what was particularly dangerous though:</p>
<div class="pointer-events-none relative left-[50%] flex w-[100cqw] translate-x-[-50%] justify-center *:pointer-events-auto">
<div class="tableContainer horzScrollShadows">
<table class="min-w-full" data-start="4051" data-end="4430">
<thead data-start="4051" data-end="4072">
<tr data-start="4051" data-end="4072">
<th data-start="4051" data-end="4061">Element</th>
<th data-start="4061" data-end="4072">Details</th>
</tr>
</thead>
<tbody data-start="4094" data-end="4430">
<tr data-start="4094" data-end="4143">
<td class="" data-start="4094" data-end="4112">Platform Abused</td>
<td class="" data-start="4112" data-end="4143">SourceForge (via subdomain)</td>
</tr>
<tr data-start="4144" data-end="4202">
<td class="" data-start="4144" data-end="4162">Malware Payload</td>
<td class="" data-start="4162" data-end="4202">Clipper, Crypto Miner, Reverse Shell</td>
</tr>
<tr data-start="4203" data-end="4275">
<td class="" data-start="4203" data-end="4221">Infection Chain</td>
<td class="min-w-[calc(var(--thread-content-max-width)/3)]" data-start="4221" data-end="4275">MSI → Batch scripts → Registry edits → Persistence</td>
</tr>
<tr data-start="4276" data-end="4335">
<td class="" data-start="4276" data-end="4294">Infection Count</td>
<td class="" data-start="4294" data-end="4335">Over 4,604 systems (mostly in Russia)</td>
</tr>
<tr data-start="4336" data-end="4364">
<td class="" data-start="4336" data-end="4351">Discovery By</td>
<td class="" data-start="4351" data-end="4364">Kaspersky</td>
</tr>
<tr data-start="4365" data-end="4430">
<td class="" data-start="4365" data-end="4386">SourceForge Status</td>
<td class="" data-start="4386" data-end="4430">Project removed, new safeguards in place</td>
</tr>
</tbody>
</table>
</div>
</div>
<h2 class="" data-start="4432" data-end="4476">Why This Scare Matters More Than It Seems</h2>
<p class="" data-start="4478" data-end="4616">This attack wasn’t just another phishing email or shady app. It used a platform many people trust—and trust is hard to earn, easy to lose.</p>
<p class="" data-start="4618" data-end="4822">The hackers didn’t break into anything. They didn’t exploit some zero-day vulnerability. They just… signed up and uploaded malware like they were releasing an open-source tool. That’s how low the bar was.</p>
<p class="" data-start="4824" data-end="4921">And for users? Searching for a harmless Office add-in turned into a full-blown system compromise.This is a wake-up call.</p>
<h2 class="" data-start="4948" data-end="4991">What Users Can Actually Do to Stay Safer</h2>
<p class="" data-start="4993" data-end="5168">So yeah, it’s easy to wag the finger and say “just be careful online.” But let’s be real—this stuff’s getting sneakier. Still, there <em data-start="5126" data-end="5131">are</em> a few solid tips that go a long way:</p>
<ul data-start="5170" data-end="5535">
<li class="" data-start="5170" data-end="5250">
<p class="" data-start="5172" data-end="5250">Don’t download software from random project sites, even if they <em data-start="5236" data-end="5242">look</em> legit</p>
</li>
<li class="" data-start="5251" data-end="5322">
<p class="" data-start="5253" data-end="5322">Prefer official sources—like Microsoft’s GitHub for developer tools</p>
</li>
<li class="" data-start="5323" data-end="5383">
<p class="" data-start="5325" data-end="5383">Always scan files before opening, even if they’re zipped</p>
</li>
<li class="" data-start="5384" data-end="5450">
<p class="" data-start="5386" data-end="5450">Keep your antivirus updated. It’s boring advice. But it helps.</p>
</li>
<li class="" data-start="5451" data-end="5535">
<p class="" data-start="5453" data-end="5535">If a download asks for a password right away… maybe pause and rethink that click</p>
</li>
</ul>
<p class="" data-start="5537" data-end="5703">One more thing: If your machine suddenly starts lagging hard, check Task Manager. If something sketchy’s hogging your CPU? Yeah, you might be mining for someone else.</p>

Sony Hints at Potential PS Plus Price Tweaks to Boost Profit Margins
Google Blames API Mishap for Global Cloud Outage That Disrupted Billions of Requests
Selena Gomez Shares Tearful Birthday Tribute to Sister Gracie, Reveals Her Adorable Taylor Swift Obsession
Dogecoin Drops 9% After SEC Delays Bitwise DOGE ETF Decision
OpenAI Slashes ChatGPT o3 API Prices by 80% Without Hurting Performance
Apple and LEGO Show How Focus Beats Diversification
Atari’s Rollercoaster: From Pong Glory to Desert Burial
Kim Soo Hyun and Kim Sae Ron Controversy Sparks Over 10 Police Investigations Amid Legal Showdown
Joe Biden Diagnosed With Aggressive Prostate Cancer That Has Spread to Bones
Budget Friendly Ways to Stop Hair Loss Naturally
-
News4 months agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News2 months agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
-
News4 months agoApple Shuts Down ADP for UK iCloud Users Amid Government Backdoor Demands
