The GitVenom malware campaign exploits numerous GitHub repositories to distribute malicious software aimed at stealing cryptocurrency and user credentials.

The campaign has resulted in the theft of approximately 5 bitcoins, valued around $456,600, highlighting its financial impact.

To protect themselves, developers and users are advised to scrutinize project authenticity, check contributor accounts, and assess the plausibility of repository activity.

Kaspersky anticipates that attackers will continue to publish malicious projects, likely with minor adjustments to their methods to evade detection.

Active for at least two years, GitVenom primarily targets users in Brazil, Russia, and Turkey, with reports of significant infection attempts in these regions.

Researchers have observed that the perpetrators invested considerable effort in making these repositories appear legitimate, employing well-crafted README files and manipulating commit counts.

Kaspersky analyst Georgy Kucherin noted that the creators of these malicious projects have made significant efforts to make them appear authentic, including the use of AI-generated content.

The malicious code spans multiple programming languages, with Python scripts executing harmful installations and JavaScript functions decoding and running malicious scripts.

Descriptions and README files in these repositories are often multilingual and high-quality, likely generated by AI to enhance their credibility.

Among the malicious components is clipper malware that hijacks clipboard data, replacing cryptocurrency wallet addresses with those controlled by the attackers.

Users should thoroughly vet GitHub projects, inspect repository contents, and execute downloaded files in isolated environments to mitigate the risk of infection.

Despite the misleading presentation, Kaspersky found that the actual functionality of these projects was minimal, often performing meaningless actions instead of the advertised features.