According to a Kaspersky report, the GitHub code you employ to develop a modern application or resolve existing issues could potentially be leveraged to seize your bitcoin (BTC) or other cryptocurrency assets.
GitHub is a well-liked resource among all developer categories, particularly in crypto-focused initiatives where even simple applications can generate millions of dollars in profit.
The report cautioned users about an ongoing “GitVenom” campaign that has been active for at least two years and is increasingly prevalent, which involves embedding harmful code in counterfeit projects on the widely used code repository platform.
The attack begins with what appear to be legitimate GitHub projects—such as Telegram bots for managing bitcoin wallets or gaming tools.
Each project includes a well-crafted README file, frequently generated by AI, to instill trust. However, the code itself acts as a Trojan horse: in Python projects, attackers conceal malicious scripts following an unusual string of 2,000 tabs, which decrypt and execute a harmful payload.
In the case of JavaScript, a malignant function is inserted into the main file, initiating the attack. Once triggered, the malware retrieves additional tools from a distinct hacker-controlled GitHub repository.
(A tab organizes code for better readability by aligning lines, while the payload is the core segment of a program that performs the actual function—typically causing harm in the case of malware.)
Once a system is compromised, multiple programs activate to execute the exploit. A Node.js stealer collects passwords, cryptocurrency wallet information, and browsing history, which it then bundles and dispatches via Telegram. Remote access trojans such as AsyncRAT and Quasar take control of the victim’s device, logging keystrokes and capturing screenshots.
A “clipper” also modifies copied wallet addresses, replacing them with those of the attackers, thus diverting funds. One such wallet gained 5 BTC—valued at $485,000 at that time—just in November.
Although GitVenom has been operational for at least two years, it has impacted users most severely in Russia, Brazil, and Turkey, though it has a global reach, according to Kaspersky.
The attackers maintain a low profile by simulating active development and altering their coding strategies to evade antivirus detection.
So, how can users safeguard themselves? By examining any code meticulously before execution, confirming the legitimacy of the project, and remaining wary of overly refined README files or inconsistent commit histories.
Researchers do not anticipate an end to these attacks anytime soon: “We expect these attempts to persist in the future, potentially with minor adjustments in the tactics, techniques, and procedures (TTPs),” Kaspersky concluded in their report.
