Beware of GitHub’s Hidden Threats to Your Cryptocurrency
The code you craft on GitHub to develop innovative applications or to patch existing bugs could potentially be exploited to steal your Bitcoin (BTC) or other cryptocurrency holdings, according to a recent report by Kaspersky. GitHub has become a favored platform among developers of various backgrounds, particularly for those focused on cryptocurrency projects, where even a simple application can generate significant revenue.
Kaspersky’s report has raised alarms about a malicious campaign dubbed “GitVenom,” which has been active for over two years and is witnessing a troubling increase in activity. This campaign involves embedding harmful code within seemingly legitimate projects on the widely-used code repository.
The attack begins with what appears to be trustworthy GitHub projects, such as applications designed to create Telegram bots for managing Bitcoin wallets or tools aimed at enhancing computer games. Each of these projects is accompanied by a well-crafted README file, often generated using AI, to instill confidence in potential users. However, the underlying code serves as a Trojan horse: in Python-based projects, attackers obscure malicious scripts behind an unusual sequence of 2,000 tab characters, which is designed to decrypt and execute a harmful payload. For JavaScript projects, a rogue function is inserted into the main file to initiate the attack. Once activated, the malware retrieves additional tools from a hacker-controlled GitHub repository.
(A tab serves to organize code, enhancing readability by aligning lines. The payload refers to the essential part of a program that performs the intended function—or causes harm, in the case of malware.)
After the system is compromised, a series of harmful programs are activated to carry out the exploit. A Node.js stealer can capture sensitive information including passwords, cryptocurrency wallet details, and browsing history, which are then bundled and transmitted via Telegram. Additionally, remote access trojans such as AsyncRAT and Quasar can take control of the victim’s device, logging keystrokes and capturing screenshots. A particularly insidious “clipper” functionality swaps out copied wallet addresses with those belonging to the hackers, redirecting funds to their accounts. Notably, one such wallet reportedly netted 5 BTC—equivalent to approximately $485,000 at the time—in just November.
Having been active for at least two years, the GitVenom campaign has predominantly affected users in Russia, Brazil, and Turkey, though its impact is felt globally, as reported by Kaspersky. The attackers maintain a low profile by imitating genuine development activity and continuously varying their coding techniques to bypass antivirus detection.
How can users safeguard themselves against these threats? It is essential to scrutinize any code before executing it, verify the authenticity of the project, and maintain a healthy skepticism towards overly polished README files or inconsistent commit histories. Researchers do not anticipate these attacks will cease anytime soon, with Kaspersky concluding, “We expect these attempts to continue in the future, possibly with slight modifications in the tactics, techniques, and procedures (TTPs).”
