Key Takeaways
- GitVenom uses GitHub repositories to deploy malware targeting Bitcoin wallets.
- Attackers use hidden scripts in Python, JavaScript, and C-based projects.
- Kaspersky warns developers to verify GitHub repositories before use.
Kaspersky researchers have uncovered a widespread cyberattack campaign on GitHub, dubbed GitVenom, that distributes harmful code targeting Bitcoin wallets.
The attackers created hundreds of deceptive repositories posing as legitimate open-source projects for social media automation, wallet management, and gaming enhancements.
Hidden scripts & targeted languages
Instead of providing real functionality, these repositories contained hidden scripts that installed cryptographic libraries, downloaded malicious payloads, and executed concealed attacks.
The malware targeted multiple programming languages, including Python, JavaScript, C, C++, and C#.
Attack methods
In Python projects, a long sequence of tab characters hid commands installing cryptographic libraries to decrypt and execute a hidden payload.
JavaScript-based attacks used Base64-encoded scripts, while C, C++, and C# repositories embedded malicious batch scripts in Visual Studio files that activated during the build process.
Malware functionality
Once installed, the malware deployed a Node.js-based stealer, collecting saved credentials, browsing history, and digital wallet data before exfiltrating the information via Telegram.
Attackers also used AsyncRAT and Quasar backdoors for remote access and deployed clipboard hijackers to replace copied Bitcoin addresses with their own.
Global impact & recommendations
GitVenom has been active for over two years, with infection attempts recorded globally, particularly in Russia, Brazil, and Turkey.
Kaspersky advises developers to carefully review GitHub repositories before integrating code, as attackers now use AI-generated README files and fake reviews to create a false sense of legitimacy.
