fake jay0lee account on git hub, gyb.exe 0 day trojan alert.
389 views
Skip to first unread message
Tom B
Jul 31, 2022, 3:46:45 PM7/31/22
to Got Your Back: Gmail Backup
FYI - this one got by my comodo AV software scan on July 24th and now reported as a trojan. Looks like GitHub has already detected the infection and removed some of the content.
That page and fake account is still hosted on github as of 7/31/2022 12:30 PM EDST but the actual file I downloaded gyb-1.70-windows-x86_64.zip is not currently present on that repository.
It was posted by a new account created about a month ago which spoofs the legitimate user. They stole his profile picture and created an account that has change on single letter which is undetectable because of the github sans serif type font.
FAKE jay0<upper case "I">ee looks identical to LEGIT jay0<lower case"l">ee on the website but you can see it clearly if you cut and paste into notepad++
Today I have revisited the legitimate project space for the real GYB code, (https://github.com/GAM-team/got-your-back/wiki) and see it was edited yesterday by jason-nyc, (https://github.com/jason-nyc) assuming someone detected the link was hijacked.
When I visited this page on the 24th, the link on that page directed me to the trojan - (its fixed as of today)
Instead, the link on that page brought me to the infected download page hosted by the FAKE jay0Iee here https://github.com/jay0Iee/got-your-back/releases/tag/482d175
Apparently, this was still a zero-day trojan on the 24th because it passed a scan by Comodo security on that day, but after I discovered my info was compromised, I checked the file a second time and it was reported as a trojan 'malware@0'.
I'm dealing with the fallout now.
If you were using the code uploaded to git hub as explained below between July 10th and July 29th when this scam was active, please check all your personal systems from unauthorized access that may have been granted to the perpetrators.
Here's the details, note the difference in these user account names with git hub's native font vs a Courier font.
Now in courier new font
fake jay0lee
https://github.com/jay0Iee
legit jay0lee
https://github.com/jay0lee
Here's the link to where the trojan was downloaded by me on July 24th.
https://github.com/jay0Iee
legit jay0lee
https://github.com/jay0lee
Here's the link to where the trojan was downloaded by me on July 24th.
That page and fake account is still hosted on github as of 7/31/2022 12:30 PM EDST but the actual file I downloaded gyb-1.70-windows-x86_64.zip is not currently present on that repository.
It was posted by a new account created about a month ago which spoofs the legitimate user. They stole his profile picture and created an account that has change on single letter which is undetectable because of the github sans serif type font.
FAKE jay0<upper case "I">ee looks identical to LEGIT jay0<lower case"l">ee on the website but you can see it clearly if you cut and paste into notepad++
Today I have revisited the legitimate project space for the real GYB code, (https://github.com/GAM-team/got-your-back/wiki) and see it was edited yesterday by jason-nyc, (https://github.com/jason-nyc) assuming someone detected the link was hijacked.
When I visited this page on the 24th, the link on that page directed me to the trojan - (its fixed as of today)
Instead, the link on that page brought me to the infected download page hosted by the FAKE jay0Iee here https://github.com/jay0Iee/got-your-back/releases/tag/482d175
Apparently, this was still a zero-day trojan on the 24th because it passed a scan by Comodo security on that day, but after I discovered my info was compromised, I checked the file a second time and it was reported as a trojan 'malware@0'.
It was uploaded around July 20th, so anyone that was misdirected to the FAKE account page for the download and using it before July 29th many have been compromised in the same way.
Even if you were diligent and proactively scanned the file etc. it would have passed most virus scans in its early days until the trojan was detected and added to your AV company's database.
-Tom
Jay Lee
Jul 31, 2022, 3:48:59 PM7/31/22
to Got Your Back: Gmail Backup
Thanks for reporting this.
I've locked down the GYB wiki so others cannot edit it.
I've also reported the fake user that is impersonating me to GitHub and others should also so it is taken down.
Jay
--
--
You received this message because you are subscribed to the Google
Groups "Got Your Back: Gmail Backup" group.
To post to this group, send email to got-yo...@googlegroups.com
To unsubscribe from this group, send email to
got-your-bac...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/got-your-back?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Got Your Back: Gmail Backup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to got-your-bac...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/4b445082-77de-43ce-b00d-fd29522db5f0n%40googlegroups.com.
Message has been deleted
mario
Aug 2, 2022, 10:53:57 AM8/2/22
to Got Your Back: Gmail Backup
Hi,
Thanks for reporting !
Does somebody has further information regarding this incident - Is or was the linux and or Mac part also affected and if (...)?
So the best way is, to get sure to delete the project and reset all google passwords ?
Thanks & Best
Reply all
Reply to author
Forward
0 new messages