The github code used to create a modern application or patch existing errors could be used to steal its bitcoin (BTC) or other crypto holdings, according to a Kaspersky report.
Github is a popular tool among developers of all kinds, but even more among cryptocurrency projects, where a simple application can generate millions of dollars in income.
The report warned users of a “Gitvenom” campaign that has been active for at least two years, but is constantly increasing, implying planting malicious code in false projects in the popular code repository platform.
The attack begins with apparently legitimate github projects, such as making telegram bots to manage tickets or bitcoin tools for computer games.
Each comes with a polished Readme file, often generated by AI, to generate trust. But the code itself is a Trojan horse: for Python -based projects, the attackers hide the disastrous script after a strange 2,000 tabs, which decipher and executes a malicious useful load.
For JavaScript, a Rogue function is integrated into the main archive, which triggers the launch attack. Once activated, malware extracts additional tools from a GITHUB repository controlled by separate hackers.
(A tab organizes the code, which makes it readable when aligning the lines. The payload is the central part of a program that does the real work, or damage, in the case of malware).
Once the system is infected, several other programs are activated to execute the exploit. A node.js robber collects passwords, details of the cryptography wallet and navigation history, then envelops them and sends them through Telegram. The remote access Trojans such as Asyncrat and Quasar take care of the victim’s device, record key pulsations and capture screenshots.
A “clipper” also exchanges wallet addresses copied with the funds of computer pirates. One of those wallets scored 5 BTC, with a value of $ 485,000 at that time, only in November.
Active for at least two years, Gitvenom has affected the hardest users in Russia, Brazil and Turkey, although its reach is global, according to Kaspersky.
The attackers keep it stealthy imitating active development and varying their coding tactics to evade antivirus software.
How can users protect themselves? When examining any code before executing it, verifying the authenticity of the project and being suspected of excessively polished readmes or inconsistent confirmation stories.
Because researchers do not expect these attacks to stop soon: “We hope that these attempts will continue in the future, possibly with small changes in the TTP,” Kaspersky concluded in their publication.
