Massive Cross-Platform Supply Chain Attack
A Russian state-sponsored APT group dubbed ChainReaver-L has executed one of the most sophisticated supply chain attacks of 2026, compromising trusted file-sharing mirror sites and 50 long-established GitHub accounts to distribute infostealer malware targeting Windows, macOS, and iOS platforms simultaneously.
The attack infrastructure spans over 100 domains and leverages the inherent trust users place in established software distribution channels.
Attack Overview
| Field | Details |
|---|---|
| Threat Actor | RU-APT-ChainReaver-L |
| Attribution | Russian state-sponsored |
| Platforms Targeted | Windows, macOS, iOS |
| GitHub Accounts Compromised | 50 (hijacked November 2025) |
| Mirror Sites Compromised | Mirrored.to, Mirrorace.org |
| Infrastructure | 100+ attacker-controlled domains |
| Malware Families | MacSync Stealer, Windows infostealer, iOS phishing VPN apps |
Platform-Specific Attack Chains
Windows
1. User downloads software from compromised mirror or GitHub
2. Password-protected archive delivered via MediaFire/Dropbox
3. Archive contains signed malware binary
4. Infostealer harvests browser credentials, crypto wallets, SSH keys
5. Data exfiltrated to C2 infrastructureThe Windows payloads use legitimate code-signing certificates to bypass SmartScreen and antivirus detections.
macOS
1. User encounters ClickFix-style social engineering lure
2. Lure tricks user into opening Terminal
3. Terminal command installs "MacSync Stealer"
4. Stealer targets Keychain, browser data, crypto wallets
5. Exfiltration via encrypted channelsThe macOS attack reuses the ClickFix technique — presenting fake error dialogs that instruct users to paste commands into Terminal.
iOS
1. User directed to fraudulent VPN app on App Store
2. App passes initial App Store review via delayed payload
3. VPN app launches in-app phishing for Apple ID credentials
4. Stolen credentials used for account takeoverGitHub Account Hijacking
The 50 compromised GitHub accounts were mostly hijacked in November 2025 through a combination of:
- Credential stuffing using data from previous breaches
- Session token theft via browser infostealer malware
- Phishing campaigns targeting developers with fake GitHub notification emails
The hijacked accounts were specifically chosen because they:
- Had years of legitimate activity (establishing trust)
- Maintained popular repositories with existing star counts
- Were associated with verified developer identities
Malicious code was injected into existing releases and new repositories were created under trusted account names.
Indicators of Compromise
Network Indicators
Organizations should block and monitor for connections to:
- Mirrored.to and Mirrorace.org (compromised mirrors)
- MediaFire and Dropbox links distributing password-protected archives
- The 100+ domains identified in the ChainReaver infrastructure
Endpoint Indicators
- Windows: Look for recently installed binaries with unusual code-signing certificates
- macOS: Check for
MacSyncprocesses or LaunchAgents - iOS: Audit installed VPN applications for unknown publishers
Recommendations
- Audit software sources — Verify all recent downloads from GitHub and mirror sites against known-good hashes
- Review GitHub dependencies — Check if any project dependencies use repositories from the compromised accounts
- Enable GitHub commit signing — Require GPG-signed commits to detect unauthorized changes
- Block mirror sites — Consider blocking file-sharing mirror sites at the network perimeter
- macOS hardening — Disable Terminal execution from browser-initiated prompts
- iOS audit — Review all installed VPN applications and remove any from unknown publishers