[SmartLoader MALWARE pattern] README links point to ZIP with obfuscated LUA code + luajit.exe

[eMPee584]

Select Topic Area

Show & Tell

Body

I've noticed several of these recently, and it seems not to be stopping. Here are two example repos (both reported today):

https://github.com/Nguyenta1531/Seed3D
https://github.com/Momm0/Multi-column-dock

While the former one was created anew, the latter one is a fork of some other repo with the last commits changing the links to a ZIP file that was uploaded that contains files such as

Launcher.cmd
license.txt
lua51.dll
luajit.exe

With the actual (obfuscated) code in the license.txt and the launcher.cmd just invoking that with the lua runtime. I couldn't find a topic about this on here, but several blogs and security analyses from 2025:

• https://www.trendmicro.com/en/research/25/c/ai-assisted-fake-github-repositories.html
• https://www.securityblue.team/blog/posts/jit-happens-exposing-luajit-malware-in-the-wild
• https://medium.com/@prasana.lotke/smartloader-malware-using-lua-jit-to-push-infostealers-9b8faf1bd02a

Here's an illustration of how these things work:

So please be aware of this trend everyone!

@github: at least you should actively search for existing repos where links point to ZIP files containing a luajit.exe ... and probably monitor security sites for reports about malware spread via github...

[queenofcorgis]

Hi @eMPee584 👋🏼 We really appreciate you flagging this. The best route to get this to the proper GitHub team is to use our abuse reporting tools. Here's all the info:

• Reporting abuse or spam
• Reporting a user
• Reporting an issue or pull request
• Reporting a repository
• Reporting a comment

You can report behavior and content that violates community guidelines and terms. I am going to close this post, but for this and any future incidents, please refer to those links.

Thank you!