Hackers Exploit GitHub to Steal Crypto: Malware Hidden in Open Source

Hackers Using Github to Steal Crypto—Malware Hidden in Open Source: A stealthy malware campaign is hijacking crypto wallets by embedding malicious code in fake open-source projects on Github, tricking developers into executing hidden… Trade w/ https://t.co/6Mq98mq4zo Buy with… pic.twitter.com/Qp3B1PLJDN

— BitChase (@BitChaseATM) March 1, 2025

To enhance credibility, attackers:

• Create fake repositories mimicking popular tools.

• Use AI-generated README.md files to appear legitimate.

• Artificially inflate commit histories and add multiple tags.

Once developers clone and execute the compromised code, malware deploys silently, leading to the theft of crypto wallet credentials and sensitive data.

How Gitvenom Infects Crypto Wallets

The Gitvenom campaign is highly sophisticated, tailoring its attack methods based on programming languages:

• Python projects hide the payload in long whitespace gaps followed by a script decryption command.

• JavaScript repositories use Base64-encoded scripts to execute malware.

• C, C++, and C# projects embed batch scripts in Visual Studio files, triggering malware when compiled.

Once activated, the malware downloads additional payloads from an attacker-controlled GitHub repository. These include:

• Node.js-based stealers – Extract credentials, browsing history, and crypto wallet data.

• Remote access tools (RATs) – Deploy AsyncRAT and Quasar backdoor for full system control.

• Clipboard hijackers – Modify copied crypto wallet addresses to divert funds to hacker-controlled wallets.

Hackers are creating fake projects on Github, to steal your crypto….be careful.

— ABomb (@AtomLion35) February 28, 2025

Global Impact and How to Stay Safe

The Gitvenom campaign has been active for at least two years, with widespread infection attempts recorded in Russia, Brazil, and Turkey. Given the increasing exploitation of open-source platforms, cybersecurity experts warn that developers must exercise extreme caution when using third-party code.

How to Protect Yourself:

• Verify repository sources – Check for inconsistencies in commit history and contributors.

• Manually review code – Inspect scripts before running them, especially those with obfuscated commands.

• Use sandbox environments – Test untrusted code in isolated systems.

• Enable multi-factor authentication (MFA) – Secure accounts linked to development tools.

As hackers continue exploiting GitHub’s open-source ecosystem, developers must adopt strict security measures to prevent crypto wallet theft and data breaches.