Fake DeepSeek TUI GitHub repository used to distribute malware targeting developers and AI users

Security researchers found a malware campaign abusing fake GitHub repositories impersonating the DeepSeek TUI AI tool. Attackers lure users into downloading malicious archives disguised as legitimate AI software, often leveraging trending names like Claude, Grok, and WormGPT.

Fake DeepSeek TUI GitHub repository used to distribute malware targeting developers and AI usersFake DeepSeek TUI GitHub repository used to distribute malware targeting developers and AI users

Once executed, the malware performs sandbox detection, disables Windows Defender protections, and installs multi-stage payloads for persistence. It uses PowerShell scripts, registry modifications, and scheduled tasks to maintain long-term system access while exfiltrating data via external servers and Telegram channels.

The campaign highlights a growing trend of AI-themed malware distribution targeting developers through trusted platforms like GitHub, using sophisticated evasion and persistence techniques.


Hackers are weaponizing trusted AI brands. NPAV EPS detects malicious installers, hidden payloads, and advanced malware behavior before damage begins.