A sophisticated cyber threat campaign, dubbed GitVenom, has been uncovered, leveraging GitHub to spread malicious code through fake repositories.
This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems.
The attackers have crafted these repositories to mimic real projects, complete with well-designed README files and artificially inflated commit histories, making them seem authentic to potential victims.
Malicious Code Deployment
The malicious code in these repositories is implemented in various programming languages, including Python, JavaScript, C, C++, and C#.
For Python-based projects, the attackers insert a long line of code that decrypts and executes a malicious Python script.
In JavaScript projects, a malicious function is created to decode and execute scripts from Base64.
For C, C++, and C# projects, a malicious batch script is hidden in Visual Studio project files, set to execute during project build time.
According to Secure List Report, These scripts ultimately download additional malicious components from an attacker-controlled repository, including a Node.js stealer that collects sensitive data like cryptocurrency wallet information and browsing history.
Impact
The GitVenom campaign has been active for several years, with infection attempts observed globally, particularly in Russia, Brazil, and Turkey.
The attackers’ strategy involves luring victims with fake projects that promise functionalities such as managing Bitcoin wallets or hacking tools for video games.
The campaign’s efficiency is highlighted by the significant financial gains made by the attackers, including a notable transaction of about 5 BTC (approximately $485,000 at the time) to an attacker-controlled Bitcoin wallet.
The campaign underscores the risks of blindly running code from GitHub, emphasizing the need for developers to scrutinize third-party code before integrating it into their projects.
The GitVenom campaign demonstrates how threat actors exploit open-source platforms to spread malware, highlighting the importance of vigilance in the software development community.
As code-sharing platforms continue to grow in popularity, the risk of such campaigns will persist, making it crucial for developers to thoroughly vet any code they use from these platforms.
