Hackers Exploit GitHub Repositories to Deploy Crypto Stealing Malware Campaign

A sophisticated malware campaign known as GitVenom has infiltrated over 200 GitHub repositories, targeting developers with deceptive projects designed to steal sensitive information and cryptocurrency.

The campaign, which has been active for nearly two years, spans multiple programming languages including Python, JavaScript, C, C++, and C#. Attackers have meticulously crafted repositories that appear to be legitimate development tools, including automation scripts, Telegram bots, and gaming utilities.

Researchers discovered that the malicious repositories employ advanced social engineering techniques to appear credible. The attackers generate detailed README files, likely using AI tools, and artificially inflate repository activity by creating automated commits every few minutes. This strategy helps the repositories appear more legitimate and increases their visibility in GitHub's search results.

One of the malicious GitHub repositories- Source: Kaspersky

The malware payloads deployed through these repositories are particularly insidious. A Node.js stealer harvests usernames, passwords, browser history, and cryptocurrency wallet data, compressing the information into a .7z archive and exfiltrating it via Telegram bots. Additionally, the campaign includes AsyncRAT, an open-source remote access tool enabling keylogging and screen captures, and a clipboard hijacker that replaces cryptocurrency wallet addresses with attacker-controlled alternatives.

Detailed readme file of a fraudulent project- Source: Kaspersky

Geographic targeting appears to be a key strategy, with repositories tailored to specific regional developer interests. Brazilian repositories promoted national ID generation tools, while Turkish repositories advertised VPN bypass tools for streaming platforms. This localized approach increases the likelihood of developers trusting and downloading the malicious projects.

Financial impact has been significant. In one documented instance from November 2024, an attacker-controlled Bitcoin wallet received a single transfer of 5 BTC, valued at approximately $485,000. The campaign has primarily targeted developers in Russia, Brazil, Turkey, and Southeast Asian countries.

Cybersecurity experts warn that developers must exercise extreme caution when downloading and integrating third-party code. Recommended protective measures include manually reviewing code dependencies, checking repository engagement metrics, and avoiding downloads from unverified sources.

GitHub has removed the identified malicious repositories, but researchers emphasize that similar supply chain attacks are likely to continue. The GitVenom campaign underscores the ongoing challenges in maintaining security within open-source development ecosystems.

As threat actors continue to evolve their tactics, developers must remain vigilant, implementing robust code review processes and maintaining heightened awareness of potential security risks in seemingly legitimate software repositories.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: