Hackers Exploit Fake GitHub Code to Steal Bitcoin, Warns Kaspersky

Cybercriminals are using deceptive GitHub projects to target Bitcoin users, according to Kaspersky. These attacks often begin with seemingly legitimate repositories, such as Telegram bots for managing Bitcoin wallets or tools for computer games.

Key Points:

• Kaspersky's Monday report warns of the "GitVenom" campaign, active for at least two years and increasing in frequency.
• Hackers use fake GitHub projects, such as Telegram bots for Bitcoin wallets or gaming tools, to deploy attacks.
• In one case, a developer lost over $400,000 worth of Bitcoin in November due to this scheme.

The GitHub code you rely on to develop a new application or fix bugs could be a trap designed to steal your Bitcoin (BTC) or other crypto assets, warns a recent Kaspersky report.

GitHub is widely used by developers, especially in the crypto space, where even a simple application has the potential to generate millions in revenue.

Kaspersky's report warns of the rising "GitVenom" campaign, an ongoing attack for at least two years that involves embedding malicious code in fake GitHub projects.

These attacks begin with seemingly legitimate repositories, such as Telegram bots for Bitcoin wallet management or gaming tools.

To build trust, each project includes a well-crafted README file, often AI-generated. However, the code is a Trojan horse—particularly in Python-based projects, where attackers conceal a malicious script behind an unusual sequence of 2,000 tabs. This script decrypts and executes a harmful payload once run.

In JavaScript-based attacks, hackers embed a rogue function within the main file, which, once executed, initiates the malware. This triggers the download of additional malicious tools from a separate GitHub repository controlled by the attackers.

(A tab helps organize code for readability by aligning lines, while a payload refers to the core part of a program responsible for executing tasks—whether beneficial or harmful, as in the case of malware.)

After infecting a system, multiple malicious programs activate to carry out the attack. A Node.js stealer extracts passwords, crypto wallet details, and browsing history, then transmits them via Telegram. Meanwhile, remote access trojans (RATs) like AsyncRAT and Quasar hijack the victim’s device, logging keystrokes and capturing screenshots.

Additionally, a "clipper" malware replaces copied crypto wallet addresses with the hacker’s own, redirecting funds. In one case, a compromised wallet received 5 BTC (worth $485,000 at the time) in November alone.

The GitVenom campaign has been active for over two years, primarily affecting users in Russia, Brazil, and Turkey, though its impact is global, according to Kaspersky.

To remain undetected, attackers disguise their activity by simulating ongoing development and frequently modifying their coding techniques to evade security software.

How to Stay Safe:

• Examine Code Carefully: Always review any open-source code before running it.
• Verify Project Legitimacy: Check the contributors, commit history, and feedback from the community.
• Be Wary of Suspicious READMEs: AI-generated or overly polished documentation may indicate a deceptive project.

Future Threats:

Kaspersky warns that GitVenom attacks are likely to continue, with hackers refining their tactics to avoid detection.