Key Insights
- Hackers are using fake GitHub repositories in a campaign called ‘GitVenom’ to plant malware that steals crypto wallets, passwords, and sensitive data.
- The malware, hidden in Python and JavaScript projects, executes malicious payloads, hijacks devices, and redirects funds to attacker-controlled wallets.
- Kaspersky warns that GitVenom is active globally, with major impacts in Russia, Brazil, and Turkey.
SAN FRANCISCO (MarketsXplora) – Malicious actors are exploiting the popular code-hosting platform GitHub to infiltrate crypto-related projects and steal users’ bitcoin (BTC) and other digital assets, according to a report by cybersecurity firm Kaspersky.
The attack, dubbed “GitVenom,” has been active for at least two years and is gaining traction, Kaspersky researchers found. The campaign relies on planting harmful code in seemingly legitimate GitHub repositories, tricking developers into integrating infected projects into their work.
Malicious Code Hidden in Fake GitHub Projects
GitHub, widely used by software developers globally, is particularly popular in the crypto space, where open-source projects can generate millions of dollars in revenue. The GitVenom attackers take advantage of this by distributing fake repositories containing malicious code disguised within legitimate-looking applications.
These rogue projects frequently claim to offer useful tools, such as Telegram bots for managing bitcoin wallets or utilities for computer games. To build trust, they include polished README files—often AI-generated—to make the project appear credible.
However, hidden within the code are Trojan horse elements designed to execute a multi-layered cyberattack once deployed.
Technical Tactics: Hidden Malware Execution
Kaspersky’s research revealed that the attack method varies depending on the programming language used in the repository.
For Python-based projects, attackers conceal the harmful script behind an unusually long sequence of 2,000 tab characters. When executed, the script decrypts and deploys a malicious payload.
For JavaScript applications, a rogue function is embedded within the main file, which initiates the attack when triggered. The malware then downloads additional malicious tools from a separate, hacker-controlled GitHub repository.
(A tab is a formatting tool that organizes code, making it more readable. A payload is the core component of malware that executes the intended attack.)
Once Infected: Crypto Theft and Remote Takeover
After a victim unknowingly runs the infected code, the malware launches a series of exploits that compromise the user’s system and steal valuable information.
Among the deployed tools is a Node.js-based stealer that collects stored passwords, crypto wallet details, and browsing history. The stolen data is then bundled and sent via Telegram to the attackers.
Additionally, remote access trojans (RATs) such as AsyncRAT and Quasar are used to hijack the victim’s device, allowing hackers to log keystrokes and capture screenshots.
Another particularly damaging component, known as a “clipper,” replaces copied wallet addresses with those controlled by the attackers, diverting funds during transactions. One identified hacker-controlled wallet collected 5 BTC—worth $485,000 at the time—in November alone.
Stealthy Tactics and Global Reach
The GitVenom campaign has primarily affected users in Russia, Brazil, and Turkey, but Kaspersky noted that its reach is global.
To avoid detection, the attackers maintain an appearance of active development within their fake repositories. They also frequently alter their coding techniques, making it harder for antivirus software to flag their activities.
Mitigation Measures and Future Threats
Cybersecurity researchers caution developers to be vigilant when using third-party code. Experts recommend thoroughly reviewing code before executing it, verifying the credibility of projects, and scrutinizing repositories with overly polished READMEs or suspicious commit histories.
Kaspersky researchers believe these attacks are unlikely to stop anytime soon. “We expect these attempts to continue in the future, possibly with small changes in the TTPs (tactics, techniques, and procedures),” the report warned.