GitVenom Attack: Hackers Use AI-Generated Fake GitHub Projects to Steal Crypto
Cybersecurity firm Kaspersky has uncovered a large-scale malware campaign in which hackers are creating hundreds of fraudulent GitHub repositories to trick users into downloading credential-stealing and cryptocurrency-targeting malware.
In a February 24 report, Kaspersky analyst Georgy Kucherin detailed the operation, dubbed “GitVenom.” According to the findings, threat actors have been masquerading as legitimate developers, setting up repositories that appear to offer useful software but instead deliver remote access trojans (RATs), info stealers, and clipboard hijackers.
Among the deceptive projects are a supposed Telegram bot for managing Bitcoin wallets and a tool designed to automate Instagram account interactions.
Hackers Use AI and Fake Activity to Appear Legitimate
Kaspersky’s investigation revealed that the bad actors invested significant effort into making these fake projects appear authentic. They provided well-structured documentation and instruction files, which may have been generated using AI tools to enhance credibility.
Additionally, the hackers manipulated GitHub’s activity metrics by artificially increasing commit counts—a tactic meant to convince potential victims that the repositories were active and undergoing regular development.
“To achieve this, they placed a timestamp file in the repositories, which was updated every few minutes,” Kucherin explained. “Clearly, in designing these fake projects, the actors went to great lengths to make the repositories appear legitimate to potential targets.”
Despite their professional appearance, these repositories lacked any functional software and only executed meaningless tasks when downloaded.
A Widespread and Ongoing Attack
During its analysis, Kaspersky discovered that some of these fraudulent projects date back at least two years, suggesting that this infection method has been effectively deceiving users for a significant period.
Regardless of how the project is presented, all of them contained hidden malicious payloads that, once installed, extracted sensitive data, including saved credentials, cryptocurrency wallet details, and browser history. The stolen data was then transmitted to the hackers via Telegram.
Another dangerous feature of the malware is a clipboard hijacker, which detects crypto wallet addresses copied by the user and silently replaces them with the attacker’s address—potentially leading to stolen funds.
One confirmed victim fell prey to this tactic in November, when a hacker-controlled wallet received 5 Bitcoin (worth approximately $442,000 at the time).
Global Threat with a Focus on Russia, Brazil, and Turkey
The GitVenom campaign has been observed worldwide, but Kaspersky noted a higher concentration of infections in Russia, Brazil, and Turkey.
Kucherin warned that code-sharing platforms like GitHub will continue to be exploited by cybercriminals, as they provide easy access to a vast pool of potential victims.
To mitigate the risk, users must carefully scrutinize any third-party code before downloading and verify its authenticity.
While Kaspersky expects these malicious campaigns to continue, they anticipate that hackers will evolve their tactics, making small but effective changes to evade detection.
Leave a comment