Hackers Create Fake GitHub Projects to Steal Cryptocurrency, Warns Kaspersky

Cybersecurity firm Kaspersky has uncovered a sophisticated cybercrime campaign known as “GitVenom,” where hackers are leveraging fake GitHub repositories to distribute malware designed to steal cryptocurrency and sensitive personal data. The campaign, which has been active for at least two years, has seen a surge in activity, posing a significant threat to developers and cryptocurrency holders alike.

According to Kaspersky, the attackers have created over 200 deceptive GitHub repositories, masquerading as legitimate projects. These fake repositories claim to offer popular tools, such as Telegram bots for Bitcoin wallet management, Instagram automation software, and gaming hacks. To appear credible, the repositories include detailed README.md files, often generated by artificial intelligence, along with numerous commits to simulate active development.

However, hidden within these seemingly legitimate projects is malicious code. For example, in Python-based projects, malware scripts are often concealed behind large amounts of whitespace, executing once the code runs. In JavaScript projects, harmful functions are embedded to initiate the attack. Once activated, the malware connects to attacker-controlled repositories to download additional malicious components.

The malware deployed by the GitVenom campaign includes:

• Information Stealers: These collect saved passwords, cryptocurrency wallet information, and browsing histories. The data is then packaged and sent to attackers via Telegram.
• Remote Access Trojans (RATs): Tools like AsyncRAT and Quasar enable hackers to remotely control infected devices, logging keystrokes and capturing screenshots.
• Clipboard Hijackers: These monitor clipboard activity for cryptocurrency wallet addresses and replace them with hacker-controlled addresses, diverting funds during transactions. In November 2024, one such wallet received nearly 5 Bitcoin (around $485,000).

The GitVenom campaign has primarily impacted users in Russia, Brazil, and Turkey, though its reach is global.

To combat such threats, Kaspersky advises developers to thoroughly review external code, verify repository authenticity, and avoid downloading code from untrusted sources.

This discovery highlights the growing cybersecurity risks within open-source development platforms like GitHub, particularly for those involved in the cryptocurrency sector.