GitVenom Campaign: Malicious GitHub Repositories Target Crypto and Credentials

Security researchers at Kaspersky Labs have uncovered a large-scale cybercrime campaign, dubbed GitVenom, that targets GitHub users by spreading malicious repositories designed to steal cryptocurrency and credentials. This campaign exploits developers’ trust in open-source code to infect unsuspecting victims worldwide.

The GitVenom campaign involves hundreds of fraudulent GitHub repositories, each masquerading as legitimate open-source projects. These repositories claim to offer useful tools, such as:

• Automation for Instagram accounts
• Telegram bots for Bitcoin wallet management
• Hacking tools for video games like Valorant

Kaspersky researchers explain: “In designing these fake projects, the actors went to great lengths to make the repositories appear legitimate to potential targets. For instance, the malicious repositories we discovered contained well-designed README.md files, possibly generated using AI tools.”

To make these repositories appear active and trustworthy, attackers artificially inflate the commit history by using a timestamp file that updates every few minutes.

The GitVenom campaign delivers malware through repositories written in Python, JavaScript, C, C++, and C#. The malicious payloads are cleverly hidden:

• Python Projects: Malicious code is buried in project files, often disguised within thousands of tab characters, followed by an obfuscated decryption function.
• JavaScript Projects: Attackers embed Base64-encoded scripts inside project files, executed when the program runs.
• C, C++, and C# Projects: The payload is embedded inside Visual Studio project files, using PreBuildEvent attributes to execute malware at build time.

Kaspersky notes: “While coded in different programming languages, the malicious payloads stored inside the fake projects had the same goal – download further malicious components from an attacker-controlled GitHub repository.”

Once executed, the malicious code downloads additional payloads, including:

• A Node.js-based credential stealer that extracts saved passwords, browser history, and cryptocurrency wallet data, then sends it to attackers via Telegram.
• AsyncRAT & Quasar Backdoor, two open-source remote access trojans (RATs) that allow attackers to take full control of infected systems.
• A clipboard hijacker that replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses.

According to Kaspersky, “The attacker-controlled Bitcoin wallet received a lump sum of about 5 BTC (approximately $485,000) in November 2024.”

The GitVenom campaign has been active for over two years, spreading across multiple regions. Researchers observed the highest infection rates in Russia, Brazil, and Turkey but noted attempts worldwide.

Related Posts:

• GitHub Security Alerts has detected over 4 million vulnerabilities
• $20 Million Drained and Returned: Government Wallet Under Scrutiny
• Kaspersky Report: Criminals earning millions through mining malware