Kaspersky identifies malware framework targeting cryptocurrency investors through fake GitHub projects
The GitVenom campaign used over 200 fake repositories, AI-generated documentation, and trojanized apps to steal Bitcoin and sensitive credentials from developers and crypto users.
Kaspersky’s Global Research and Analysis Team has uncovered a malware operation called GitVenom that weaponizes one of the most trusted platforms in software development: GitHub. The campaign planted more than 200 fake repositories disguised as legitimate open-source projects, targeting developers and cryptocurrency investors with a cocktail of info-stealers, remote access trojans, and clipboard hijackers designed to redirect crypto transactions.
How GitVenom actually works
The campaign, detailed in a Kaspersky report dated February 24, 2025, has been active since at least 2023. Its operators created repositories that looked convincingly real, complete with AI-generated README files, inflated commit histories, and code written across multiple programming languages. The goal was simple: look like a busy, credible open-source project so developers would clone the repo without a second thought.
Once a developer downloaded and built one of these projects, hidden malicious scripts would execute. The malware payloads varied but included Node.js-based info-stealers capable of harvesting personal data, browser credentials, and banking information. More advanced variants deployed open-source remote access tools like Quasar and AsyncRAT, giving attackers persistent backdoor access to infected machines.
The most directly dangerous component for crypto holders was the clipboard clipper. This relatively simple but devastatingly effective tool monitors a user’s clipboard for cryptocurrency wallet addresses. When it detects one, it silently swaps in the attacker’s address instead. The victim copies what they think is their own wallet address, pastes it into a transaction, and sends funds straight to the thieves.
The damage so far
GitVenom’s operators have already pocketed meaningful sums. Kaspersky flagged a single transaction in November 2024 where approximately 5 BTC, worth around $485,000 at the time, was transferred to a wallet controlled by the attackers. Infections have been detected globally, with notable concentrations in Russia, Brazil, and Turkey.
Why this matters for crypto investors
For individual crypto investors, the immediate lesson is straightforward: always verify wallet addresses character by character before confirming a transaction. Clipboard manipulation is invisible unless you’re actively looking for it. A hardware wallet that displays the destination address on its own screen provides an additional layer of verification that software alone cannot match.
For developers working on crypto-related projects, supply chain attacks like GitVenom exploit dependency on third-party code by hiding malicious functionality inside seemingly useful libraries or tools.
Kaspersky’s researchers noted that as long as open-source code sharing remains a cornerstone of development, threat actors will continue to use it as a distribution channel. The incentive structure is simply too attractive: high trust, low friction, global reach, and victims who self-select as people with access to cryptocurrency wallets and developer credentials.