Hackers Exploit GitHub with Fake Repositories to Target Crypto Users: Kaspersky

Sophisticated Malware Campaign Poses Growing Threat to Developers

A newly uncovered malware campaign dubbed GitVenom has exposed a sophisticated scheme in which hackers create fake GitHub repositories to distribute malicious software, targeting developers and cryptocurrency users. Researchers found that cybercriminals had deployed hundreds of fraudulent repositories designed to trick unsuspecting developers into downloading and executing malware. 

The primary objective behind the campaign is to harvest sensitive credentials, steal cryptocurrency, and gain remote access to compromised systems through a combination of remote access trojans (RATs), clipboard hijackers, and credential-stealing malware.

To enhance the illusion of legitimacy, attackers leverage AI-generated instruction files and artificially inflate commit histories, making their repositories appear active and well-maintained. A constantly updated timestamp file reinforces the false perception of ongoing development. 

Several of these fake projects masquerade as open-source tools, including a Telegram bot for managing Bitcoin wallets and a utility for automating Instagram interactions. The deceptive presentation increases the likelihood that developers will trust and incorporate the infected code into their projects, unknowingly exposing their systems to severe security risks.

Once executed, the malware grants attackers full access to sensitive user data. Stolen information includes stored credentials, banking details, and crypto wallet data extracted from infected devices. Hackers also monitor browsing history to identify potential cryptocurrency transactions. One of the most alarming features of GitVenom is its clipboard hijacker, which replaces copied wallet addresses with those controlled by the attackers. 

This tactic ensures that victims unknowingly send funds to malicious actors rather than their intended recipients. The stolen data is then transmitted to hackers via Telegram, allowing them to operate discreetly and efficiently.

Kaspersky researchers tracking the campaign reported a confirmed case in which a single hacker-controlled Bitcoin wallet received 5 BTC—approximately $442,000 as of February 2025—from a victim in November 2024. The infection method has been in operation for at least two years, demonstrating its effectiveness in deceiving users. While the campaign has been detected worldwide, certain regions have been disproportionately affected, with high numbers of infections reported in Russia, Brazil, and Turkey.

The GitVenom campaign bears similarities to another malware variant, XCSSET, previously highlighted by Microsoft. That strain specifically targets macOS users by infiltrating malicious Xcode projects, reinforcing a broader trend of attackers focusing on software developers as an entry point for cyber intrusions. 

Kaspersky warns that as millions of developers rely on GitHub for open-source projects, the risk remains high. Experts stress the importance of verifying third-party code before integration, ensuring that repositories come from trusted sources, and closely analyzing the behavior of any downloaded scripts.

Security analysts predict that while GitVenom’s tactics may evolve, its core methodology is unlikely to change. As cybercriminals refine their approach, software development communities must remain vigilant against emerging threats.

This article has been refined and enhanced by ChatGPT.