{
	"id": "fbb25b16-090f-4307-9c64-8aabd37708ca",
	"created_at": "2026-04-06T00:06:41.186452Z",
	"updated_at": "2026-04-10T13:12:24.718742Z",
	"deleted_at": null,
	"sha1_hash": "6196cb48af636b0c431ebf3ff838008b9b9fbc5d",
	"title": "The GitVenom campaign: cryptocurrency theft using GitHub",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 342408,
	"plain_text": "The GitVenom campaign: cryptocurrency theft using GitHub\r\nBy Georgy Kucherin\r\nPublished: 2025-02-24 · Archived: 2026-04-05 20:13:25 UTC\r\nIn our modern world, it’s difficult to underestimate the impact that open-source code has on software\r\ndevelopment. Over the years, the global community has managed to publish a tremendous number of projects with\r\nfreely accessible code that can be viewed and enhanced by anyone on the planet. Very frequently, code published\r\non the Internet serves as a source of inspiration for software developers – whenever they need to implement a\r\nproject feature, they often check whether the code they need is already available online. This way, they avoid\r\nreinventing the wheel and thus save their precious time.\r\nWith more and more open-source projects being published, both state-sponsored actors and cybercriminals started\r\nusing freely available code as a lure to infect their targets. Of course, this trend shows no sign of slowing down as\r\nevidenced by a currently active campaign aimed at GitHub users that we dubbed GitVenom.\r\nPromise-filled yet fake projects\r\nOver the course of the GitVenom campaign, the threat actors behind it have created hundreds of repositories on\r\nGitHub that contain fake projects with malicious code – for example, an automation instrument for interacting\r\nwith Instagram accounts, a Telegram bot allowing to manage Bitcoin wallets, and a hacking tool for the video\r\ngame Valorant.\r\nClearly, in designing these fake projects, the actors went to great lengths to make the repositories appear\r\nlegitimate to potential targets. For instance, the malicious repositories we discovered contained well-designed\r\nREADME.md files, possibly generated using AI tools. We observed these files to contain information about the\r\nprojects, as well as instructions on how to compile their code.\r\nSnippets of README.md pages with descriptions of fake projects\r\nIn addition to that, the attackers added multiple tags to their repositories, as well as artificially inflated the number\r\nof commits made to them. To do that, they placed a timestamp file in these repositories, which was updated every\r\nfew minutes:\r\nhttps://securelist.com/gitvenom-campaign/115694/\r\nPage 1 of 4\n\nExample structure of a malicious repository\r\nMalicious code implanted in many ways\r\nWhile analyzing repositories created over the course of the GitVenom campaign, we noted that the fake projects\r\nwe found were written in multiple programming languages – specifically Python, JavaScript, C, C++ and C#. As\r\nmay be expected, these projects did not implement the features discussed in the README.md file, and their code\r\nmostly performed meaningless actions. At the same time, each of the projects was infected with malicious code,\r\nwith its placement depending on the programming language used.\r\nFor instance, the attackers placed malicious code in Python-based projects by inserting a long line in one of the\r\nproject files. This line consisted of about 2,000 tab characters, followed by the following code, responsible for\r\ndecrypting and executing a Python script:\r\nsubprocess.run(['pip', 'install', 'cryptography'], stdout=subprocess.DEVNULL,\r\nstderr=subprocess.DEVNULL); subprocess.run(['pip', 'install', 'fernet'], stdout=subprocess.DEVNULL,\r\nstderr=subprocess.DEVNULL); from fernet import Fernet; import requests; exec(Fernet(b'\u003cencrypted\r\nmalicious Python script\u003e'))\r\nIn the case of projects coded in JavaScript, the attackers created a malicious function inside them, which was in\r\nturn invoked from the main file of the project. Below is an example of such a function:\r\nhttps://securelist.com/gitvenom-campaign/115694/\r\nPage 2 of 4\n\nExample of a malicious function placed in JavaScript-based projects. It decodes a script from Base64 and executes\r\nit.\r\nAs for repositories containing C, C++ and C# code, the attackers decided to hide a malicious batch script inside\r\nVisual Studio project files, configuring it to execute at project build time:\r\nSnippet from a malicious Visual Studio project file. It contains a PreBuildEvent attribute, which instructs the\r\npayload to execute at project build time.\r\nFurther payloads deployed\r\nWhile coded in different programming languages, the malicious payloads stored inside the fake projects had the\r\nsame goal – download further malicious components from an attacker-controlled GitHub repository (URL at the\r\ntime of research: hxxps://github[.]com/Dipo17/battle) and execute them. These components were as follows:\r\nA Node.js stealer that collects information such as saved credentials, cryptocurrency wallet data and\r\nbrowsing history, packs it into a .7z archive and uploads it to the attackers via Telegram.\r\nStructure of the archive which the stealer sends to the attackers\r\nhttps://securelist.com/gitvenom-campaign/115694/\r\nPage 3 of 4\n\nThe open-source AsyncRAT implant (C2 server address: 138.68.81[.]155);\r\nThe open-source Quasar backdoor (C2 server address: same as above)\r\nA clipboard hijacker, which searches the clipboard contents for cryptocurrency wallet addresses and\r\nreplaces them with attacker-controlled ones. Notably, the attacker-controlled Bitcoin wallet ( ID:\r\nbc1qtxlz2m6r[...]yspzt) received a lump sum of about 5 BTC (approximately 485,000 USD at the time of\r\nresearch) in November 2024.\r\nImpact of the campaign\r\nWhile investigating malicious repositories related to the GitVenom campaign, we found several fake projects\r\npublished two years ago. Given that the attackers have been luring victims with these projects for several years,\r\nthe infection vector is likely quite efficient. In fact, based on our telemetry, infection attempts related to GitVenom\r\nhave been observed worldwide, with the highest number of them being in Russia, Brazil and Turkey. We expect\r\nthese attempts to continue in the future, possibly with small changes in the TTPs.\r\nBlindly running code from GitHub can be detrimental\r\nAs code-sharing platforms such as GitHub are used by millions of developers worldwide, threat actors will\r\ncertainly continue using fake software as an infection lure. For that reason, it is crucial to handle processing of\r\nthird-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is\r\nparamount to thoroughly check what actions it performs. This way, it will be very easy to spot fake projects and\r\nprevent malicious code placed in them from being used to compromise the development environment.\r\nReference hashes for infected repository archives\r\n63739e000601afde38570bfb9c8ba589\r\n(06d0d13a4ce73775cf94a4a4f2314490de1d5b9af12db8ba9b01cd14222a2756)\r\n3684907e595cd04bf30b27d21580a7c6\r\n(bd44a831ecf463756e106668ac877c6b66a2c0b954d13d6f311800e75e9c6678)\r\nSource: https://securelist.com/gitvenom-campaign/115694/\r\nhttps://securelist.com/gitvenom-campaign/115694/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/gitvenom-campaign/115694/"
	],
	"report_names": [
		"115694"
	],
	"threat_actors": [],
	"ts_created_at": 1775434001,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6196cb48af636b0c431ebf3ff838008b9b9fbc5d.pdf",
		"text": "https://archive.orkl.eu/6196cb48af636b0c431ebf3ff838008b9b9fbc5d.txt",
		"img": "https://archive.orkl.eu/6196cb48af636b0c431ebf3ff838008b9b9fbc5d.jpg"
	}
}