Lumma Stealer is one of the most actively distributed types of malicious software designed to stealthily collect confidential information from infected devices.
This software first appeared in 2022 and quickly gained popularity in hacker communities due to its high efficiency, flexibility, and ability to integrate into various delivery channels.
What is Lumma Stealer
The main function of Lumma Stealer is to steal user data. Once installed on the victim’s computer, the malware:
- extracts saved passwords from browsers and password managers;
- copies cookie files used for automatic authorization;
- steals data from cryptocurrency wallets like Metamask, Exodus, and others;
- collects contents of work and personal documents;
- accesses browser history and current sessions.
One of the key features that distinguishes Lumma Stealer from other similar tools is its technical foundation. The program is written in C, which makes it lightweight, fast, and difficult to detect using traditional antivirus tools. Additionally, the malware uses built-in encryption to protect transmitted data and actively employs evasion techniques, including anti-debugging, virtual environment checks, and the use of legitimate system components to mask its activity.
As distribution schemes such as GitHub and cloud services evolve, Lumma Stealer has become even more dangerous. Below, we take a closer look at how attackers use GitHub as a platform for delivering malware.
Attack scheme via GitHub
GitHub is the largest platform for storing and collaboratively developing code. Today, it is increasingly used by attackers as a delivery tool for malicious software — and Lumma Stealer is no exception. The attack is cleverly structured and multi-layered, combining both technical and social engineering methods.
Let’s break down the key stages of the scheme:
1. Mass publication of malicious comments
Hackers have automated the process of posting malicious messages to popular repositories on GitHub. They leave comments on commits, issues, or pull requests, attaching links to supposedly helpful scripts, updates, or exploits.
In reality, these links lead to malicious Lumma Stealer builds, which are downloaded from external resources or disguised as source code hosted on GitHub Pages or in the Releases section.
These comments are often generated by bots and target hundreds of repositories within a short time, increasing the likelihood that someone will click the link and download the malware.
2. Use of GitHub Releases infrastructure
GitHub Releases is an official mechanism for storing and distributing binaries such as software builds. Hackers actively exploit this. They upload executables disguised as updates for popular libraries or tools. File names are carefully copied from official projects, which can mislead even experienced users.
This approach allows the malware to look highly legitimate and even bypass some security filters, since it’s downloaded from a trusted and widely used resource. This is how Lumma Stealer can reach a victim’s device.
3. Phishing emails with “vulnerability” notifications
Another part of the scheme involves social engineering. Victims receive phishing messages, supposedly from GitHub or library maintainers. The email reports a critical vulnerability in a library they are using and strongly recommends clicking a link to install a “fix.” That link leads either to a fake site resembling GitHub or directly to a compromised release in a repository.
This combination of technical infrastructure and social engineering makes Lumma Stealer especially dangerous. The user installs the malicious file themselves, thinking it's an update or official tool — and antivirus software, seeing a legitimate source, might not detect the threat.
Infection mechanisms and malware behavior
Infection begins immediately after the user downloads and runs the file. The following techniques are used:
- Disabling system protection. Lumma tries to turn off built-in Windows protection mechanisms such as SmartScreen and antivirus tools, as well as bypass User Account Control (UAC).
- Loading modules into memory. Many modules are loaded filelessly (without writing to disk), which makes them harder to detect.
- String and behavior encryption. The code encrypts data in memory, hiding its actions from behavioral analysis systems.
Precautionary measures and recommendations
Depending on the user’s area of activity, the following methods can help protect against the impact of this malware.
Since Lumma Stealer actively uses trusted resources and mechanisms, developers should pay particular attention to securing the software supply chain:
- conduct regular dependency audits;
- review commits and pull requests carefully;
- apply the principle of least privilege in access rights;
- monitor repository comments and Releases.
If you are not a developer but use GitHub and third-party tools, follow these rules:
- download software only from official sources;
- do not click suspicious links in emails or comments;
- use antivirus software with behavioral analysis functionality.
If there is even the slightest suspicion of infection, Lumma Stealer should be removed immediately using specialized tools.
Where to securely host projects and tools
Protecting your infrastructure and storing your projects securely starts with choosing a trusted hosting provider. PSB.Hosting offers a safe and reliable environment for working with DevOps, CI/CD, and Docker-based tools.
Benefits of PSB.Hosting:
- High-performance VPS with AMD Ryzen CPUs and fast NVMe SSDs
- Support for popular Linux distributions and Docker environments
- Instant deployment and full compatibility with Docker and Kubernetes
- Anti-DDoS protection and 24/7 technical support
If you work with GitHub, CI/CD, or open source projects and want to safeguard your infrastructure from similar threats — choose a platform where security and performance go hand in hand.
Conclusion
Lumma Stealer is an advanced information stealer, dangerous due to its stealth and varied delivery techniques. Its active distribution via GitHub demands heightened awareness and digital vigilance from both developers and users. Only timely security measures, along with caution when handling code and external sources, can help minimize the risk of data leaks.