Hackers Are Using Fake GitHub Code to Steal Your Bitcoin: Kaspersky

The GitHub code you use to build a trendy application or patch existing bugs might just be used to steal your bitcoin BTC$91,580.81 or other crypto holdings, according to a Kaspersky report.

GitHub is popular tool among developers of all types, but even more so among crypto-focused projects, where a simple application may generate millions of dollars in revenue.

The report warned users of a “GitVenom” campaign that’s been active for at least two years but is steadily on the rise, involving planting malicious code in fake projects on the popular code repository platform.

The attack starts with seemingly legitimate GitHub projects — like making Telegram bots for managing bitcoin wallets or tools for computer games.

Each comes with a polished README file, often AI-generated, to build trust. But the code itself is a Trojan horse: For Python-based projects, attackers hide nefarious script after a bizarre string of 2,000 tabs, which decrypts and executes a malicious payload.

For JavaScript, a rogue function is embedded in the main file, triggering the launch attack. Once activated, the malware pulls additional tools from a separate hacker-controlled GitHub repository.

(A tab organizes code, making it readable by aligning lines. The payload is the core part of a program that does the actual work — or harm, in malware’s case.)

Once the system is infected, various other programs kick in to execute the exploit. A Node.js stealer harvests passwords, crypto wallet details, and browsing history, then bundles and sends them via Telegram. Remote access trojans like AsyncRAT and Quasar take over the victim’s device, logging keystrokes and capturing screenshots.

A “clipper” also swaps copied wallet addresses with the hackers’ own, redirecting funds. One such wallet netted 5 BTC — worth $485,000 at the time — in November alone.

Active for at least two years, GitVenom has hit users hardest in Russia, Brazil, and Turkey, though its reach is global, per Kaspersky.

The attackers keep it stealthy by mimicking active development and varying their coding tactics to evade antivirus software.

How can users protect themselves? By scrutinizing any code before running it, verifying the project’s authenticity, and being suspicious of overly polished READMEs or inconsistent commit histories.

Because researchers don’t expect these attacks to stop anytime soon: “We expect these attempts to continue in the future, possibly with small changes in the TTPs,” Kaspersky concluded in its post.