A recently uncovered cyber campaign known as Gitvenom has been targeting Github users by embedding malicious code within seemingly legitimate open-source projects. Kaspersky researchers Georgy Kucherin and Joao Godinho identified the operation, which involves cybercriminals creating fraudulent repositories that mimic real software tools.

The researchers described:

Over the course of the Gitvenom campaign, the threat actors behind it have created hundreds of repositories on Github that contain fake projects with malicious code – for example, an automation instrument for interacting with Instagram accounts, a Telegram bot allowing to manage bitcoin wallets, and a hacking tool for the video game Valorant.

The attackers have gone to great lengths to make these repositories appear authentic, using AI-generated README.md files, adding multiple tags, and artificially inflating commit histories to enhance credibility.

The malicious code is embedded differently depending on the programming language used in the fake projects. In Python repositories, attackers conceal the payload using long lines of whitespace followed by a script decryption command. In Javascript-based projects, they hide the malware within a function that decodes and executes a Base64-encoded script. For C, C++, and C# projects, the attackers place a hidden batch script in Visual Studio project files, ensuring that the malware runs when the project is built.

Once executed, these scripts download additional malicious components from an attacker-controlled Github repository. These include a Node.js-based stealer that extracts credentials, cryptocurrency wallet data, and browsing history before sending it to attackers via Telegram, as well as open-source remote access tools like AsyncRAT and Quasar backdoor. A clipboard hijacker was also deployed, replacing copied cryptocurrency wallet addresses with attacker-controlled ones.

The Gitvenom campaign has been active for at least two years, with infection attempts detected worldwide, particularly in Russia, Brazil, and Turkey. Kaspersky researchers emphasized the growing risks of malicious repositories, warning:

As code-sharing platforms such as Github are used by millions of developers worldwide, threat actors will certainly continue using fake software as an infection lure.

“For that reason, it is crucial to handle processing of third-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is paramount to thoroughly check what actions it performs,” they cautioned. As open-source platforms continue to be exploited by cybercriminals, developers must exercise caution to prevent their environments from being compromised.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。