GitHub malicious repositories deploying hidden crypto wallet attacks
Researchers at Kaspersky have discovered an attack vector that is based on GitHub repositories. This allows code to be distributed that targets crypto wallets.
You can also find out more about the following: investigation The FBI has revealed a GitVenom campaign, where threat actors have created hundreds GitHub repositories claiming to provide utilities for social media management, wallet management and even gaming enhancements.
These repositories, which were intended to look like legitimate open-source software projects, failed to perform the functions advertised. It contained instructions for installing cryptographic libraries, downloading additional payloads, or executing hidden scripts.
GitVenom repos
The malicious code can be found in Python projects, JavaScript projects, C++ project, C# project, C++ projects, and C++ C# Projects. In Python repositories a long sequence of tab characters is used to precede commands that install cryptography and Fernet. These packages decrypt and run an encrypted payload.
JavaScript projects contain a decoding function that triggers malicious code when a Base64 script is encoded.
A hidden batch script in Visual Studio project files is also activated during build time for projects using C++ and C#. Kaspersky reports that each payload can be configured to retrieve additional components from an attacker’s GitHub repository.
The additional components include a Node.js thief that gathers digital wallet data and browsing history, before packaging it into an archive to be exfiltrated via Telegram.
To facilitate remote access, open-source tools like the AsyncRAT Implant and the Quasar Backdoor are also used. Also used is a clipboard hijacker which scans for addresses of crypto wallets and replaces them by those controlled by attackers.
The vector of attack is not a new concept
Worldwide, the campaign, which is active since several years and some repositories date back to two years ago, has led to infection attempts. Telemetry data shows that GitVenom has been linked to the majority of infection attempts in Russia.
Kaspersky researchers emphasized the importance of scrutinizing code from third parties before execution. Open-source platforms can be used to spread malware, even though they are vital for collaborative development.
Before integrating code in their projects, developers are encouraged to check the activity and contents of GitHub repositories.
This report details how these projects artificially inflate the commit history and README file detail. Developers should be aware of these issues when reviewing new repositories.
Although using AI to create a README is not in and of itself a red-flag, its presence should encourage developers to do more research before implementing the code. This can be done by looking for reviews and community engagement. Fake AI-generated social media posts and fake reviews also make it a difficult challenge.
Posted In: Crime, Featured, Hacks Author 
Liam ‘Akiba’ Wright
Liam Wright (also known as Akiba) is a reporter and podcast producer at CryptoSlate. He also serves as Editor-in-Chief. He believes that the decentralized technology is capable of bringing about a positive change.
Liam@@akibablade.com Editor
News Desk
CryptoSlate offers a wide range of data, news and analysis on the crypto market. Focusing on Bitcoins, macro, AI, DeFi.
@cryptoslate Linked Email Editor Ad 
