Fake GitHub Repositories Target Retro Gaming Fans With Lumma Stealer Disguised as Homebrew Plugins
Attackers are luring PlayStation Vita and retro gaming enthusiasts with fake GitHub repositories that deliver Lumma Stealer and other malware disguised as legitimate homebrew plugins.
Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console.
We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer. The project, called EQVita, looks like a normal homebrew plugin. It has a polished README, a download button, screenshots, and a tidy layout. But the file you download doesn't contain anything for a Vita at all. It contains three Windows files, and the harmless-looking text file among them is actually a hidden script that quietly connects to the attacker's server once you run it.
This isn't a one-off. Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer. The EQVita download uses the same method, repackaged to appeal to retro gaming fans.
Take a look at the comparison below. On the left we have a fake GitHub repository, on the right a real one. There's even a small trick in the version number. The real EQVita is on version 1.10, while the fake is labeled 1.3. At a glance, 1.3 may appear newer—but it isn't. In software, 1.10 comes after 1.9, so the real project is the more up-to-date one. The fake just borrows a number that looks current.
Why this targets the Vita community: If you're not into retro consoles, the PS Vita might not mean much to you. But for a large and active community, it's a big deal, and that makes it a target. Even though Sony stopped making the Vita years ago, fans have kept it alive by writing their own software for it: emulators, file managers, and plugins. A modded Vita can run its own PSP games at full speed and emulate older systems like the SNES, Game Boy Advance, and Sega Genesis, which turns the handheld into a do-everything retro machine. In 2026 the scene is thriving, with active developers and even homebrew contests with cash prizes. That demand shows up in the price, too. With no new units made since 2019, working Vitas have become a sought-after retro item, and resale prices have climbed across the major marketplaces over the past year—the older OLED model, prized by modders for its firmware, has risen the most.
How the scam works: The download, EQ_Vita_v1.3.zip, contains three files: Launch.bat, luajit.exe, and x64.txt. Here's the clever part. luajit.exe is a real, harmless program that runs scripts. The batch file simply tells it to open x64.txt. Despite the .txt name, that file isn't text at all—it's a hidden script, and LuaJIT runs it. Calling it .txt is what makes it look harmless and easy to scroll past. Researchers found the same setup in the SmartLoader campaign: the only dangerous file in the download is the disguised script, and everything around it is legitimate. So nothing in the download looks dangerous on its own. There's no obvious installer and no scary-looking app—just a trusted tool being used to run someone else's code.
We watched what happened when it ran. First, the script checked where in the world the computer was. Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string. The server answered back. An audio plugin has no reason to do any of that. This is how a malware "loader" behaves: it phones home to the attacker's server to receive instructions and fetch its next piece of malware. In this campaign, that next piece is usually a stealer—malware that hunts for cryptocurrency wallets, saved browser passwords, and login codes. Malwarebytes blocks this threat, so protected users are stopped before the file can run.
How to spot the fake: Most Vita plugins are installed on the Vita, using tools like VitaShell or Autoplugin, and they come as Vita files (the kind ending in .skprx or .vpk). Some legitimate tools in the scene—installers, file-transfer helpers, build tools—do run on a PC, so a Windows program isn't automatically bad. The key is to check before you run it. Is it well known? Is it widely used? Is it recommended by trusted community sources, or did you just stumble onto it in an unfamiliar repository? A "plugin" that quietly leans on a .bat file to launch a hidden program is exactly what that check is meant to catch. A few habits help: Match the file to the device, and verify PC tools. Most Vita plugins are Vita files, not Windows programs. Some legitimate tools do run on your PC, so don't panic at an .exe or .bat, but check that it's a well-known, trusted tool before running it. Be wary of "Download Now" polish. Real homebrew READMEs are written for users like other developers. In this campaign, the fake repositories lean on AI-generated text, which tends to read like marketing: heavy on emoji, friendly phrasing, and a sense of urgency.