GitVenom: Crypto Wallets Under Siege via Malicious GitHub Repos

Researchers at Kaspersky have uncovered a sophisticated attack campaign, dubbed GitVenom, targeting crypto wallets through malicious GitHub repositories. The campaign, active for several years, has created hundreds of repositories purporting to offer utilities for social media automation, wallet management, and gaming enhancements. However, these repositories contain hidden malicious code that installs cryptographic libraries, downloads additional payloads, and executes hidden scripts.

The malicious code is embedded in projects written in various programming languages, including Python, JavaScript, C, C++, and C#. In Python-based repositories, a lengthy sequence of tab characters precedes commands that install packages like cryptography and fernet, ultimately decrypting and running an encrypted payload. JavaScript projects incorporate a function that decodes a Base64-encoded script, triggering the malicious routine. Similarly, in projects using C, C++, and C#, a concealed batch script within Visual Studio project files activates at build time. Each payload is configured to fetch further components from an attacker-controlled GitHub repository.

These additional components include a Node.js stealer that collects saved credentials, digital wallet data, and browsing history before packaging the information into an archive for exfiltration via Telegram. Open-source tools such as the AsyncRAT implant and the Quasar backdoor are also used to facilitate remote access. A clipboard hijacker that scans for crypto wallet addresses and replaces them with those controlled by the attackers is also used.

The campaign has triggered infection attempts worldwide, with the most prominent attempts linked to GitVenom occurring in Russia, Brazil, and Turkey. Kaspersky researchers stressed the importance of scrutinizing third-party code before execution, noting that open-source platforms, while essential to collaborative development, can also serve as conduits for malware when repositories are manipulated to mimic authentic projects. Developers are advised to double-check the contents and activity of GitHub repositories before integrating code into their projects.

The report outlines that these projects use AI to artificially inflate commit histories and craft detailed README files. Thus, when reviewing a new repo, developers should check for overly verbose language, formulaic structureGPCR--, and even leftover AI instructions or responses in these areas. While using AI to help craft a README file is not a red flag in itself, identifying it should spur developers to investigate further before using the code. Looking for community engagement, reviews, and other projects using the repo may aid with this. However, fake AI-generated reviews and social media