Introduction
Cybersecurity researchers have identified a new campaign utilizing GitHub-hosted Python repositories to distribute a Remote Access Trojan (RAT) known as PyStoreRAT. This malware targets IT professionals and analysts by masquerading as legitimate development utilities and OSINT tools.

Key Details

• Who: Researchers from Morphisec.
• What: A new JavaScript-based RAT called PyStoreRAT that can execute multiple payload formats, including EXE, DLL, and PowerShell.
• When: Signs of the campaign first appeared in mid-June 2025 and have continued into late 2025.
• Where: Distributed via GitHub and promoted across social media platforms.
• Why: PyStoreRAT exploits the trust inherent in GitHub to infect users while maintaining a low profile.
• How: It operates by downloading a remote HTA file for execution and employs several techniques to remain undetected, such as fake commits and timed payload delivery.

Why It Matters
This development poses significant risks to enterprise security as PyStoreRAT:

• Targets OSINT tools widely adopted by security analysts, compromising their integrity.
• Infiltrates corporate environments via seemingly benign repositories, undermining security protocols.
• Collects sensitive data, particularly related to cryptocurrency wallets and antivirus products, potentially leading to data theft and operational disruption.

Takeaway for IT Teams
IT managers and system administrators should prioritize vigilance when sourcing and deploying open-source tools, especially from repositories on GitHub. Regular audits of installed software and ongoing employee education about the risks of downloading from unverified sources can mitigate the threat from such malware campaigns.

Stay updated on cybersecurity threats and best practices to ensure your organization’s infrastructure remains secure. For more curated news and infrastructure insights, visit TrendInfra.com.