GitHub Malware Scam Exposed: Hackers Target Crypto Users Worldwide

Hackers are using fake GitHub projects to distribute malware and compromise cryptocurrency wallets, cybersecurity firm Kaspersky warns.

Kaspersky has uncovered a sophisticated malware campaign in which cybercriminals create deceptive GitHub repositories to steal cryptocurrency and sensitive user information. Dubbed “GitVenom,” the attack lures users into downloading malicious software capable of draining cryptocurrency wallets and capturing login credentials.

Hackers Exploiting GitHub Users

In a report published on Feb. 24, Kaspersky analyst Georgy Kucherin detailed how hackers have uploaded hundreds of fake GitHub projects. These repositories mimic legitimate software but instead contain various types of malware, including remote access trojans (RATs), info-stealers, and clipboard hijackers.

Also read: Trump’s Budget Cuts Hit SEC: Regional Directors on the Chopping Block

Some of these fraudulent projects claim to offer useful tools, such as Telegram bots for managing Bitcoin wallets or automation software for Instagram. However, behind these seemingly legitimate descriptions lies dangerous malware designed to infect user systems and extract valuable data.

Deceptive Tactics Used by Hackers

Kaspersky’s research reveals that the attackers took significant steps to make their fake projects appear credible. They included detailed instruction files, likely generated with AI tools, that explain how the supposed software functions, giving the illusion of an authentic and well-maintained project.

To further deceive potential victims, the hackers artificially inflated the number of “commits”—modifications made to the repository—to simulate an active development process. They also embedded timestamp files that updated every few minutes, reinforcing the appearance of ongoing improvements.

“Clearly, when creating these fake projects, the actors went to great lengths to make the repositories appear legitimate to potential targets,” Kucherin stated.

How the Malware Attack Works

Once installed, these fraudulent applications do not perform the advertised functions. Instead, they deploy malicious payloads that discreetly collect sensitive data, including stored login credentials, cryptocurrency wallet information, and browsing history.

Also read: Berachain TVL Surges to $3.26 Billion, Surpassing Arbitrum and Base in DeFi Rankings

The stolen data is then transmitted to the hackers via the Telegram messaging platform. Additionally, a clipboard hijacker component detects and replaces copied cryptocurrency wallet addresses with those controlled by the attackers, redirecting funds to malicious accounts.

Kaspersky’s investigation found that the GitVenom campaign has been active for at least two years, with victims recorded globally. However, infection rates appear particularly high in Russia, Brazil, and Turkey. One notable case involved a victim who lost 5 Bitcoin—approximately $442,000—in a single incident in November 2024.

How to Protect Your Data

Kaspersky warns that with millions of developers relying on GitHub daily, similar attacks are likely to persist. To avoid falling victim to such schemes, users should:

• Carefully verify the source and reputation of GitHub projects before downloading.
• Avoid installing third-party software without confirming its legitimacy.
• Use reputable antivirus software to detect and prevent malware infections.
• Regularly update passwords and enable two-factor authentication (2FA) for cryptocurrency wallets and online accounts.

The GitVenom campaign places the spotlight on the growing cybersecurity risks facing the cryptocurrency community. As attackers become more sophisticated, users must stay vigilant and adopt best security practices. Kaspersky anticipates that such malicious operations will continue evolving, potentially employing even more advanced tactics in the future. By remaining cautious and informed, individuals can better protect their digital assets.