GitVenom malware on GitHub steals $442K in crypto

Cybersecurity firm Kaspersky has uncovered a widespread malware campaign dubbed "GitVenom," where hackers are creating fake GitHub projects to trick users into downloading malware that steals cryptocurrency and personal data.

These malicious projects contain remote access trojans (RATs), info-stealers, and clipboard hijackers.

The attackers create hundreds of repositories on GitHub hosting these fake projects.

The projects often include a Telegram bot that manages Bitcoin (CRYPTO:BTC) wallets or a tool to automate Instagram account interactions.

To appear legitimate, the hackers include "well-designed" information and instruction files, possibly generated using AI.

They also artificially inflate the number of commits and add multiple references to specific changes.

However, the projects don't implement the advertised features and instead perform meaningless actions.

Regardless of how the fake project presents itself, they all have "malicious payloads" that download components such as an info stealer that takes saved credentials, cryptocurrency wallet data, and browsing history and uploads it to the hackers through Telegram.

Another malicious component uses a clipboard hijacker that seeks crypto wallet addresses and replaces them with attacker-controlled ones.

In November 2024, at least one user was snared by these malicious apps, resulting in a hacker-controlled wallet receiving 5 Bitcoin, worth around $442,000 at the time.

Kaspersky's investigation revealed that some of these fake projects have been active for at least two years, suggesting the "infection vector is likely quite efficient."

The GitVenom campaign has been observed worldwide but has an elevated focus on infecting users from Russia, Brazil, and Turkey.

Kaspersky analyst Georgy Kucherin advises users to check what actions any third-party code performs before downloading it.

He also expects attackers to continue publishing malicious projects, "possibly with small changes" in their tactics.