A sophisticated malware campaign dubbed “GitVenom” has exploited GitHub’s open-source ecosystem to distribute malicious code through thousands of fraudulent repositories, targeting developers seeking automation tools, cryptocurrency utilities, and gaming hacks.
The campaign, active since at least 2023, employs advanced social engineering tactics to disguise malicious payloads as legitimate projects, compromising systems globally with cryptocurrency stealers and remote access trojans.
The attackers created hundreds of GitHub repositories containing fake projects for Instagram automation bots, Bitcoin wallet managers, and Valorant hacking tools.
These repositories featured professionally designed README.md files with installation instructions, version histories, and tags like “Blockchain” or “Steam API” to appear credible.
Here the structure of a typical malicious repository shows the timestamp files updated every few minutes to simulate active development.
.webp)
Malicious code implantation varied by programming language. Security analysts at Securelist noted that in Python projects, attackers inserted a 2,000-tab indentation followed by a hidden command to install the cryptography package and execute a decoded script:-
subprocess. Run(['pip', 'install', 'cryptography'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)This technique bypassed casual code reviews by exploiting Python’s whitespace sensitivity. JavaScript repositories contained Base64-encoded payloads within seemingly normal functions.
.webp)
The decoded scripts fetched secondary payloads from the attacker-controlled GitHub repository Dipo17/battle, which hosted:-
- A Node.js stealer harvesting credentials, wallet.dat files, and browser histories, compressed into .7z archives sent via Telegram bots
- Modified versions of AsyncRAT and Quasar RAT connecting to C2 server 138.68.81.155
- A clipboard hijacker replacing cryptocurrency addresses with the attacker’s Bitcoin wallet (bc1qtxlz2m6r[…]yspzt), which received ~5 BTC ($485,000) in November 2024.
For compiled languages like C/C++, attackers embedded malicious batch scripts in Visual Studio project files:
cmd /c "powershell -ep bypass -c [...binary blob...]"This executed during project compilation, demonstrating the campaign’s cross-platform adaptability.
Ongoing Impact
GitVenom’s infrastructure shows signs of continuous operation, with infection attempts concentrated in Russia (38%), Brazil (22%), and Turkey (17%).
The campaign’s success stems from developers trusting public repositories without verifying code integrity.
Security experts recommend:-
- Using IDE plugins to detect anomalous whitespace patterns
- Sandboxing third-party code execution
- Monitoring network traffic for connections to undocumented GitHub repositories
Researchers identified two malicious repository archives through SHA-256 hashes 06d0d13a4ce73775cf94a4a4f2314490de1d5b9af12db8ba9b01cd14222a2756 and bd44a831ecf463756e106668ac877c6b66a2c0b954d13d6f311800e75e9c6678, urging organizations to scan for these signatures.
As GitHub reviews reportedly missed these repositories for years, the incident shows the need for platform-level static analysis tools to complement user vigilance.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here