'GitVenom' campaign uses dodgy GitHub repositories to spread malware
Hackers behind the GitVenom campaign were able to steal almost $500,000 from one user


Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
Analysis from Kaspersky warned the unknown threat actors behind the campaign, which it dubbed ‘GitVenom’, had created over 200 repositories with various projects containing malicious code.
These fake projects included Telegram bots, video game hacking tools, Instagram automation utilities, and Bitcoin wallet managers covering a wide range of programming languages such as Python, JavaScript, C, C#, and C++.
The campaign uses a number of techniques to make itself appear legitimate, such as adding multiple tags to their repositories, displaying they have tens of thousands of commits, and ‘well-designed’ README files giving developers instruction on how to work with the code.
But the report noted that the features described in the README files never actually corresponded to the actual code in the project.
“[I]n reality, the code doesn’t do half of what it claims. But ‘thanks’ to [the README], victims end up downloading malicious components,” the firm said.
These malicious components include a Node.js stealer that collects credentials, crypto wallet data, and browser data and then packages the stolen information into a 7zip archive before sending it back to the attackers via Telegram.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The malware also included Quasar, an open source backdoor; AsyncRAT, an open source RAT that also functions as a keylogger; as well as a clipper that replaces any crypto wallet address in the target environment’s clipboard and replaces it with an attacker-controlled address.
According to the report, the group was able to divert almost $500,000 worth of Bitcoin to one of their addresses in November 2024 using this method.
Kaspersky added that the tens of thousands of commits were not, of course, the result of the threat actors manually updating each of the 200 repositories to maintain their authenticity, but by using timestamp files that updated every few minutes.
“The combination of detailed documentation and numerous commits creates the illusion that the code is genuine and safe to use,” it explained.
The GitHub campaign has been active for some time
Looking at the age of the oldest fake repository linked to the campaign, Kaspersky estimated that the campaign has been going on for around two years and has impacted developers in Brazil, Russia, and Turkey.
It noted the longevity of the campaign, stating that it was surprising that GitVenom has been able to persist for as long as it has.
Kaspersky advised that due to GitHub’s popularity, with over 100 million developers using the platform, it will remain a popular target for malicious actors.
RELATED WHITEPAPER
With this in mind, users should remain highly vigilant when using the platform. Developers should always analyze the code they are thinking of integrating into their existing projects and use malware protection on both their computer and smartphone.
The report also advised to check less obvious indicators, such as the contribute accounts, number of stars, and the project creation date, although this is not a sure fire sign of authenticity as previous campaigns have manipulated GitHub’s star system to boost their malicious projects.
MORE FROM ITPRO
- 86% of enterprise codebases contain open source vulnerabilities
- Why ‘malware as a service’ is becoming a serious problem
- Hackers are using this new phishing technique to bypass MFA

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
Colt Technology sells eight European data centers
News NorthC says the acquisition will help it improve coverage in Germany and other markets
By Emma Woollacott
-
SYSPRO names Leanne Taylor as chief revenue officer
News The experienced executive will lead the firm’s revenue strategy as it looks to drive global growth
By Daniel Todd
-
Organizations urged to act fast after GitHub Action supply chain attack
News More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
By Emma Woollacott
-
Nearly a million devices were infected in a huge GitHub malvertising campaign
News Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
By Solomon Klappholz
-
Malicious GitHub repositories target users with malware
News Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
By Emma Woollacott
-
A leaked GitHub access token could have led to a catastrophic supply chain attack
News The GitHub access token with administrator level privileges could have been used to great effect by threat actors
By Solomon Klappholz
-
Hackers have found yet another way to trick devs into downloading malware from GitHub
News Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
By Solomon Klappholz
-
Hackers are abusing GitHub's search function to spread malware
News Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
By Solomon Klappholz
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositories
News New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
By Solomon Klappholz
-
Hackers are spoofing themselves as GitHub's Dependabot to steal user passwords
News GitHub Dependabot was crudely spoofed in hundreds of successful attacks on open source projects
By Connor Jones