Cybersecurity researchers are calling attention to an ongoing campaign that’s targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub.
The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky.
“The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game,” the Russian cybersecurity vendor said.
“All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard.”
The malicious activity has facilitated the theft of 5 bitcoins, approximately worth $456,600 as of writing. It’s believed the campaign has been ongoing for at least two years, when some of the fake projects were published. A majority of the infection attempts have been recorded in Russia, Brazil, and Turkey.
The projects in question are written in various programming languages, including Python, JavaScript, C, C++, and C#. But regardless of the language used, the end goal is the same: Launch an embedded malicious payload that’s responsible for retrieving additional components from an attacker-controlled GitHub repository and executing them.
Prominent among these modules is a Node.js information stealer that collects passwords, bank account information, saved credentials, cryptocurrency wallet data, and web browsing history; compresses them into a .7z archive, and exfiltrates it to the threat actors via Telegram.
Also downloaded via the bogus GitHub projects are remote administration tools like AsyncRAT and Quasar RAT that can be used to commandeer infected hosts and a clipper malware that can substitute wallet addressed copied into clipboard with an adversary-owned wallet so as to reroute the digital assets to the threat actors.
“As code sharing platforms such as GitHub are used by millions of developers worldwide, threat actors will certainly continue using fake software as an infection lure in the future,” Kaspersky researcher Georgy Kucherin said.
“For that reason, it is crucial to handle processing of third-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is paramount to thoroughly check what actions are performed by it.”
The development comes as Bitdefender revealed that scammers are exploiting major e-sports tournaments like IEM Katowice 2025 and PGL Cluj-Napoca 2025 to target players of the popular video game Counter-Strike 2 (CS2) with the intent to defraud them.
“By hijacking YouTube accounts to impersonate professional players like s1mple, NiKo, and donk, cybercriminals are luring fans into fraudulent CS2 skin giveaways that result in stolen Steam accounts, cryptocurrency theft, and the loss of valuable in-game items,” the Romanian cybersecurity company said.
