Malicious Github Repositories Launch Stealth Assaults Against Cryptocurrency Wallets

Kaspersky’s GitVenom campaign exposes widespread GitHub exploitation via deceptive repositories that include cryptographic risks.

Summary

• Kaspersky researchers discovered an attack vector on GitHub that exploits repositories to deliver malware targeting cryptocurrency wallets.
• The campaign, known as GitVenom, involves hundreds of GitHub projects claiming to provide tools for social media automation, wallet management, and game upgrades.
• The malicious code exists in Python, JavaScript, C, C++, and C# applications.
• Python-based repositories install packages such as cryptography and fernet before decrypting and launching an encrypted payload.
• JavaScript projects provide a function that decodes a Base64-encoded script and executes the malicious program.

Kaspersky researchers discovered an attack vector on GitHub that exploits repositories to deliver malware targeting cryptocurrency wallets.

The research uncovered a campaign known as GitVenom, in which threat actors constructed hundreds of GitHub projects claiming to provide tools for social media automation, wallet management, and even game upgrades.

Although these repositories were intended to imitate authentic open-source projects, their code failed to provide the stated purposes. Instead, it included instructions for installing cryptographic libraries, downloading more payloads, and running covert scripts.

The harmful code exists in Python, JavaScript, C, C++, and C# applications. A long string of tab characters follows commands in Python-based repositories that install packages such as cryptography and fernet before decrypting and launching an encrypted payload.

JavaScript projects provide a function that decodes a Base64-encoded script and executes the malicious program. Similarly, with C, C++, and C# projects, a hidden batch script within Visual Studio project files runs at build time. According to Kaspersky, each payload is set to retrieve additional components from an attacker-controlled GitHub repository.

These extra components include a Node.js stealer that captures stored passwords, digital wallet data, and browser history before archiving the data for exfiltration over Telegram.

Open-source technologies like the AsyncRAT implant and the Quasar backdoor are also utilized to provide remote access. A clipboard hijacker that looks for cryptocurrency wallet addresses and replaces them with ones controlled by attackers is also employed.

The Attack Vector Isn’t New

The effort, which has been active for some years and began with certain repositories two years ago, has resulted in infection attempts throughout the world. Telemetry data show that efforts tied to GitVenom have been most common in Russia, Brazil, and Turkey.

Kaspersky researchers emphasized the significance of inspecting third-party code before execution, pointing out that open-source platforms, although necessary for collaborative development, may also serve as conduits for malware when repositories are altered to resemble real projects.

Developers should double-check the contents and activity of GitHub repositories before incorporating code into their applications. The paper describes how these projects employ artificial intelligence to exaggerate commit history and create extensive README pages. Thus, while assessing a new repository, developers should look for too-verbose language, formulaic organization, and even residual AI instructions or answers in these locations.

While employing AI to assist create a README file is not a red flag in and of itself, detecting it should prompt developers to conduct extra research before implementing the code. Looking for community interaction, reviews, and other projects utilizing the repo can help with this. However, the presence of fraudulent AI-generated reviews and social media postings complicates matters.

Also Read: Rezolve AI Reveals $1 Billion Bitcoin Treasury in Addition With Tether

*Disclaimer*: We at Bitcoinleef.com present you with the latest information in the crypto market. However, this information should not be regarded as financial advice and viewers should consult their financial advisors before investing.