HQ/EMEAFind out how we can help your business
The newly identified GitVenom malware campaign uses hundreds of GitHub repositories to trick users into downloading information stealers, remote access trojans (RATs), and clipboard hijackers to steal cryptocurrency and credentials.
The malware has been active for at least two years. It targets users worldwide, especially individuals based in Russia, Brazil, and Turkey.
Based on reports, the threat actors behind the GitVenom campaign have created hundreds of GitHub repositories containing fake projects with malicious code. Some confirmed projects include an automation instrument for interacting with Instagram accounts, a hacking tool for the video game Valorant, and a Telegram bot for managing Bitcoin wallets.
The researchers note that the bogus repositories are well built, with information and appropriately written readme files, most likely using AI technologies.
These threat actors also use tactics to artificially boost the number of commits published to those repositories, providing a false sense of high activity and gaining a positive reputation.
The GitVenom malware on GitHub projects is a versatile payload.
According to investigations, numerous repositories linked to the GitVenom campaign have been injected with malicious code. The projects involved vary, as some strains are written in languages such as Python, JavaScript, C, C++, and C#.
The threat actors utilised different languages to avoid detection by specific code-reviewing tools or procedures. Once the victim has executed the payload, the injected malware downloads the second stage from an attacker-controlled GitHub repository.
Furthermore, the researchers noted that the following tools used in GitVenom include Node.js stealer, AsyncRAT, Quasar backdoor, and clipboard hijacker.
One of the most notable impacts of this campaign is from an incident in November last year, in which the attacker’s Bitcoin wallet received 5 BTC worth half a million USD.
Although malware hidden in GitHub projects disguised as genuine software or even PoC vulnerabilities is not a new strategy, the GitVenom campaign’s longevity and scale show that legitimate platform misuse remains incredibly effective.
It is critical for users to thoroughly verify a project before using any of its files. Some of these checks include analysing repository contents, scanning files with AV software, and running downloaded files in an isolated environment.
