Cybercriminals are using a sneaky new method to trick developers into downloading dangerous malware. A recent campaign called GitVenom is spreading harmful software through fake GitHub repositories. These attackers create fake open-source projects that look real but secretly contain hidden threats.
Open-source projects are widely used by developers worldwide. They provide useful code that saves time and effort. However, hackers are taking advantage of this by creating fake repositories that appear legitimate. These repositories offer tools like Instagram automation software, a Telegram Bitcoin wallet bot, and a Valorant hacking tool. But instead of providing useful programs, they install malware that steals sensitive information.
The people behind this campaign are carefully disguising their fake projects. They write detailed descriptions, add many keywords, and even manipulate timestamps to make their repositories look active and trustworthy. Some descriptions might even be written with the help of AI, making them seem even more convincing.
How the GitVenom Malware Works
The GitVenom malware is hidden inside different types of programming languages, including Python, JavaScript, C, C++, and C#. The attackers use unique methods to hide the harmful code in each language.
- Python Projects: The malware is concealed within thousands of tab characters in a script file. When executed, these tabs reveal and run a second hidden script that installs the malware.
- JavaScript Projects: The malicious code is included inside functions hidden in the main file, waiting to be executed.
- C, C++, and C# Projects: These projects use hidden batch scripts inside Visual Studio project files. When a developer builds the project, the malware gets activated.
Once the infected code is run, it downloads additional harmful programs from a hacker-controlled GitHub repository. These programs include an information stealer designed to grab important data like passwords, banking details, cryptocurrency wallet information, and browsing history. The stolen data is then sent to the attackers via Telegram.
Hackers Gain Control and Steal Cryptocurrency
In addition to stealing personal data, GitVenom can also take control of a victim’s computer. The malware downloads remote administration tools like AsyncRAT and Quasar RAT, which allow hackers to control infected devices remotely. This means they can steal files, track activities, and even manipulate system settings without the user knowing.
One of the most dangerous tools used in this attack is a clipboard hijacker. This sneaky program monitors copied cryptocurrency wallet addresses and replaces them with the hacker’s wallet address. If a victim tries to send cryptocurrency, the money is unknowingly sent to the attacker instead. One Bitcoin wallet linked to GitVenom has received around 5 BTC (worth $485,000) as of November 2024.
The GitVenom campaign has been active for at least two years, affecting developers worldwide. Most infection attempts have been seen in Russia, Brazil, and Turkey, but the threat is global. As long as open-source platforms like GitHub exist, hackers will continue to find ways to exploit unsuspecting users.
Developers should be extra careful when downloading code from unknown sources. Before running any third-party code, always examine it closely to ensure it does not perform any hidden actions. Staying alert can help prevent falling victim to dangerous cyberattacks like GitVenom.
