The GitHub code you use to build a trendy application or patch existing bugs might just be used to steal your bitcoin (BTC) or other crypto holdings, according to a Kaspersky report.
GitHub is a popular tool among developers of all types, but even more so among crypto-focused projects, where a simple application may generate millions of dollars in revenue.
The report warned users of a “GitVenom” campaign that’s been active for at least two years but is steadily on the rise, involving planting malicious code in fake projects on the popular code repository platform.
The attack starts with seemingly legitimate GitHub projects — such as tools for managing bitcoin wallets or creating Telegram bots. Each project often includes a polished README file, frequently generated by AI, to build trust among users. However, hidden within the code lies a Trojan horse: for Python-based projects, attackers conceal a malicious script behind an unusual sequence of 2,000 tabs that decrypts and executes the payload.
In JavaScript projects, rogue functions are embedded directly in the main file, triggering the exploitation mechanism. Once activated, the malware retrieves additional tools from a separate, hacker-controlled GitHub repository.
(A tab organizes code, making it readable by aligning lines. The payload is the core part of a program that executes its intended function — or harm, in the case of malware.)
Once the system is infected, various programs spring into action to execute the exploit. A Node.js stealer is designed to harvest passwords, crypto wallet details, and browsing history, packaging and sending this sensitive data via Telegram. Furthermore, remote access trojans like AsyncRAT and Quasar can take control of the victim’s device, logging keystrokes and capturing screenshots.
A “clipper” function is also capable of swapping copied wallet addresses with those of the hackers, effectively redirecting funds to their accounts. For instance, one wallet associated with this campaign netted 5 BTC — valued at approximately $485,000 in November alone.
Having been active for at least two years, GitVenom has predominantly affected users in Russia, Brazil, and Turkey; however, its impact is truly global, as noted by Kaspersky.
The attackers maintain a low profile by mimicking active development practices and varying their coding strategies to circumvent antivirus protections.
So, how can users protect themselves from such sophisticated threats? Begin by thoroughly scrutinizing any code before running it, verifying the project’s authenticity, and remaining cautious of overly polished README files or inconsistent commit histories.
Researchers, including those at Kaspersky, do not anticipate these attacks to cease any time soon: “We expect these attempts to continue in the future, possibly with small changes in the TTPs,” they concluded in their report.
