{"id":23858,"date":"2025-02-25T12:51:51","date_gmt":"2025-02-25T08:51:51","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23858"},"modified":"2025-02-25T12:51:51","modified_gmt":"2025-02-25T08:51:51","slug":"malicious-code-in-github","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/malicious-code-in-github\/23858\/","title":{"rendered":"Malicious code on GitHub: How hackers target programmers"},"content":{"rendered":"

Can you imagine a world where, every time you wanted to go somewhere, you had to reinvent the wheel and build a bicycle from scratch? We can\u2019t either. Why reinvent something that already exists and works perfectly well? The same logic applies to programming: developers face routine tasks every day, and instead of inventing their own wheels and bicycles (which might even be not up to par), they simply grab ready-made bicycles<\/span> code from open-source GitHub repositories.<\/p>\n

This solution is available to anyone \u2014\u00a0 including criminals who use the world\u2019s best free open-source code<\/em> as bait for attacks. There\u2019s plenty of evidence to back this up, and here\u2019s the latest: our experts have uncovered an active malicious campaign, GitVenom, targeting GitHub users.<\/p>\n

What is GitVenom?<\/strong><\/h2>\n

GitVenom is what we named this malicious campaign, in which unknown actors created over 200 repositories containing fake projects with malicious code: Telegram bots, tools for hacking the game Valorant, Instagram automation utilities, and Bitcoin wallet managers. At first glance, all the repositories look legitimate. Especially impressive is the well-designed README.MD file \u2014 a guide on how to work with the code \u2014 with detailed instructions in multiple languages. In addition to that, attackers added multiple tags to their repositories.<\/p>\n

\"Attackers<\/a>

Attackers used AI to write detailed instructions in multiple languages<\/p><\/div>\n

Another indicator reinforcing the apparent legitimacy of these repositories is the large number of commits. The attackers\u2019 repositories have tons of them \u2014 tens of thousands. The attackers weren\u2019t, of course, manually updating each of the 200 repositories to maintain authenticity, but simply used timestamp files that updated every few minutes. The combination of detailed documentation and numerous commits creates the illusion that the code is genuine and safe to use.<\/p>\n

GitVenom: Two years of activity<\/strong><\/h2>\n

The campaign started a long time ago: the oldest fake repository we found is about two years old. In the meantime, GitVenom has affected developers in Russia, Brazil, Turkey, and other countries. The attackers covered a wide range of programming languages: malicious code was found in Python, JavaScript, C, C#, and C++ repositories.<\/p>\n

Regarding the functionality of these projects, the features described in the README file didn\u2019t even match the actual code \u2014 in reality, the code doesn\u2019t do half of what it claims. But \u201cthanks\u201d to it, victims end up downloading malicious components. These include:<\/p>\n