Kaspersky researchers have identified an attack vector on GitHub that uses repositories to distribute code that targets crypto wallets.
The investigation revealed a campaign dubbed GitVenom, in which threat actors created hundreds of GitHub repositories purporting to offer utilities for social media automation, wallet management, and even gaming enhancements.
Although these repositories were designed to resemble legitimate open-source projects, their code failed to deliver the advertised functions. Instead, it embedded instructions to install cryptographic libraries, download additional payloads, and execute hidden scripts.
GitVenom repos
The malicious code appears across Python, JavaScript, C, C++, and C# projects. In Python-based repositories, a lengthy sequence of tab characters precedes commands that install packages like cryptography and fernet, ultimately decrypting and running an encrypted payload.
JavaScript projects incorporate a function that decodes a Base64-encoded script, triggering the malicious routine.
Similarly, in projects using C, C++, and C#, a concealed batch script within Visual Studio project files activates at build time. Per Kaspersky’s report, each payload is configured to fetch further components from an attacker-controlled GitHub repository.
These additional components include a Node.js stealer that collects saved credentials, digital wallet data, and browsing history before packaging the information into an archive for exfiltration via Telegram.
Open-source tools such as the AsyncRAT implant and the Quasar backdoor are also used to facilitate remote access. A clipboard hijacker that scans for crypto wallet addresses and replaces them with those controlled by the attackers is also used.
Attack vector is not new
The campaign, which has been active for several years with some repositories originating two years ago, has triggered infection attempts worldwide. Telemetry data indicate that attempts linked to GitVenom have been most prominent in Russia, Brazil, and Turkey.
Kaspersky researchers stressed the importance of scrutinizing third-party code before execution, noting that open-source platforms, while essential to collaborative development, can also serve as conduits for malware when repositories are manipulated to mimic authentic projects.
Developers are advised to double-check the contents and activity of GitHub repositories before integrating code into their projects.
The report outlines that these projects use AI to artificially inflate commit histories and craft detailed README files. Thus, when reviewing a new repo, developers should check for overly verbose language, formulaic structure, and even leftover AI instructions or responses in these areas.
While using AI to help craft a README file is not a red flag in itself, identifying it should spur developers to investigate further before using the code. Looking for community engagement, reviews, and other projects using the repo may aid with this. However, fake AI-generated reviews and social media posts also make this a tough challenge.
The post Malicious GitHub repositories deploying hidden attacks on crypto wallets appeared first on CryptoSlate.
