A stealthy malware campaign is hijacking crypto wallets by embedding malicious code in fake open-source projects on Github, tricking developers into executing hidden payloads.
Hackers Using Github to Steal Crypto—Malware Hidden in Open Source
This article was published more than a year ago. Some information may no longer be current.
WRITTEN BY
SHARE
Stealthy Malware on Github Is Hijacking Crypto Wallets
A recently uncovered cyber campaign known as Gitvenom has been targeting Github users by embedding malicious code within seemingly legitimate open-source projects. Kaspersky researchers Georgy Kucherin and Joao Godinho identified the operation, which involves cybercriminals creating fraudulent repositories that mimic real software tools.
The researchers described:
Over the course of the Gitvenom campaign, the threat actors behind it have created hundreds of repositories on Github that contain fake projects with malicious code – for example, an automation instrument for interacting with Instagram accounts, a Telegram bot allowing to manage bitcoin wallets, and a hacking tool for the video game Valorant.
The attackers have gone to great lengths to make these repositories appear authentic, using AI-generated README.md files, adding multiple tags, and artificially inflating commit histories to enhance credibility.
The malicious code is embedded differently depending on the programming language used in the fake projects. In Python repositories, attackers conceal the payload using long lines of whitespace followed by a script decryption command. In Javascript-based projects, they hide the malware within a function that decodes and executes a Base64-encoded script. For C, C++, and C# projects, the attackers place a hidden batch script in Visual Studio project files, ensuring that the malware runs when the project is built.
Once executed, these scripts download additional malicious components from an attacker-controlled Github repository. These include a Node.js-based stealer that extracts credentials, cryptocurrency wallet data, and browsing history before sending it to attackers via Telegram, as well as open-source remote access tools like AsyncRAT and Quasar backdoor. A clipboard hijacker was also deployed, replacing copied cryptocurrency wallet addresses with attacker-controlled ones.
The Gitvenom campaign has been active for at least two years, with infection attempts detected worldwide, particularly in Russia, Brazil, and Turkey. Kaspersky researchers emphasized the growing risks of malicious repositories, warning:
As code-sharing platforms such as Github are used by millions of developers worldwide, threat actors will certainly continue using fake software as an infection lure.
“For that reason, it is crucial to handle processing of third-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is paramount to thoroughly check what actions it performs,” they cautioned. As open-source platforms continue to be exploited by cybercriminals, developers must exercise caution to prevent their environments from being compromised.
