Kaspersky has uncovered an active malware campaign called GitVenom that uses fake GitHub apps to target crypto investors, planting malicious code inside hundreds of counterfeit open-source projects designed to steal wallets, credentials and Bitcoin.
Kaspersky said the GitVenom campaign is currently active and relies on hundreds of fake GitHub repositories to lure victims into downloading trojanized tools, according to its Securelist research. The attackers built projects that looked useful and legitimate but hid stealer and remote-access payloads inside. For related coverage, see Citadel Backs Two Crypto Exchanges With $600 Million Investment.
The fake repositories impersonated tools such as an Instagram automation utility, a Telegram bot for managing Bitcoin wallets, and a Valorant cheat program, Kaspersky said in its disclosure. Each project targeted a different audience, but crypto-focused users were a central objective. For related coverage, see Citadel Securities Invests $400M in Crypto.com at $20B Valuation.
Georgy Kucherin of Kaspersky described the scale of the operation in comments reported by BleepingComputer. For related coverage, see $1.9 Trillion Asset Manager Tests Demand for Crypto Basket ETFs.
The threat actors behind it have created hundreds of repositories on GitHub that contain fake projects with malicious code.
How fake GitHub apps reach crypto users
GitHub-hosted projects carry built-in trust cues. A repository with a detailed README, an active commit history and working features looks credible to a developer or trader evaluating a new wallet tool or bot.
Kaspersky said the attackers exploited that trust with technical tricks, including a timestamp file updated every few minutes to make repositories appear actively maintained, and a Python payload padded with roughly 2,000 tab characters that hid decryption code from casual inspection.
Crypto investors are a natural target because they routinely test wallets, trading bots and open-source utilities, often running unfamiliar code on the same machine that holds their keys. This is the same social-engineering pattern seen in other recent operations, such as the multi-module OkoBot wallet attack Kaspersky documented, where legitimate-looking tooling masked credential theft.
Kaspersky documented several payload families across the campaign, including a Node.js information stealer, AsyncRAT, the Quasar backdoor, and a clipboard hijacker that swaps a victim's copied wallet address for one controlled by the attacker.
Why this matters for crypto investors now
Kaspersky linked the campaign's clipboard hijacker to an attacker-controlled Bitcoin wallet that received about 5 BTC in November 2024. A clipboard hijacker is especially dangerous for traders because a single overlooked address swap can redirect an entire transfer.
Kaspersky and follow-on coverage put the tracked haul at roughly $485,000 at the time of investigation, underscoring how a single wallet swap campaign can produce six-figure losses.
The highest concentration of infection attempts was observed in Russia, Brazil and Turkey, according to Kaspersky telemetry echoed by secondary coverage, though the fake repositories were open to anyone worldwide.
The disclosure lands during a cautious market. Bitcoin traded at $64,632, up about 1% on the day, while the Fear & Greed Index sat at 25, in "Extreme Fear" territory. Security scares add friction for retail holders already reading the day's cautious market signals.
The practical takeaway for investors is verification: inspect repository ownership and history before running code, avoid downloading wallet or trading tools from unverified projects, and confirm every pasted address before signing a transaction to defeat clipboard hijackers.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.