[quote=UCyborg post_id=1421341 time=1778269743 user_id=31848]
I reported [url=https://github.com/akutayo2/GPlayApiCli]this repo[/url] almost 3 weeks ago, but still nothing.
[/quote]

github is owned by the biggest malware of em all, microsoft

How do you know it's malware?

I was thinking the same. Circumventing Google's user identification/authentication might break their terms of service, but not malicious on its own.

The user in question has forked the repository and then the only change was to replace the release download. So yes, there's a good chance they've infected it with malware.

https://www.virustotal.com/gui/file/3f22e6637 … ed68148f483c545

Somehow, the only reason it ended up on VirusTotal, is me. 😀

Arbitrary ZIP inserted into the source tree, the malicious author force-pushes the same commit multiple times a day to inflate his contribution count, a legitimate developer would totally do that. /s

Repo was published as new, bypassing fork function (valid way to go in some cases, but the ill-intent in this case), readme changed to direct user to the malicious payload, the ZIP itself contains Lua interpreter, obfuscated script and a CMD to invoke Lua interpreter to execute the script. The script silently generates additional executables and installs scheduled tasks to run them.

That report on VirusTotal is not complete, it doesn't answer the question what generated executables do.

And that POS appears on top on popular search engines while the legitimate repo is hidden from plain sight. 😠 Though I haven't figured out Gradle / Java to get it to run...