GitVenom attacks abuse hundreds of GitHub repos to steal crypto.

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

GitVenom attacks abuse hundreds of GitHub repos to steal crypto.

Information:

GitHub is a web-based version control and collaboration platform for software developers. Git is used to store the source code for a project and track the complete history of all changes to that code. It lets developers collaborate on a project more effectively.

GitHub allows developers to change, adapt and improve software from its public repositories for free as part of various paid plans. Each public and private repository contains all a project's files, as well as each file's revision history. Repositories can have multiple collaborators and owners.

Incident :

A malware campaign known as "GitVenom" has been exploiting hundreds of GitHub repositories to distribute malicious software, including information stealers, remote access trojans (RATs), and clipboard hijackers, aiming to steal cryptocurrency and user credentials. Active for at least two years, this campaign has primarily targeted users in Russia, Brazil, and Turkey.

Picture 1 One of the malicious GitHub repositories.

Attackers create fake GitHub repositories masquerading as useful tools, such as Instagram automation scripts, Telegram bots for Bitcoin wallet management, and hacking utilities for games like Valorant.

These repositories are meticulously crafted with detailed descriptions and readme files, possibly generated using AI tools. To appear legitimate, attackers artificially inflate the number of commits, suggesting active development.

The malicious code is written in multiple languages, including Python, JavaScript, C, C++, and C#, to evade detection. Once the victim runs the malicious code, it downloads a second-stage payload from attacker-controlled repositories, including Node.js Stealer, AsyncRAT, Quasar Backdoor and Clipboard Hijacker

Recommendation:

- Before downloading or executing code from any repository, users should thoroughly review its content, scan for malware, and consider testing in isolated environments.

- Indicators such as overly complex or obfuscated code, an unusually high number of commits in a short period, and excessively detailed readme files may signal malicious intent.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References :

- https://www.bleepingcomputer.com/news/security/gitvenom-attacks-abuse-hundreds-of-github-repos-to-steal-crypto/

- https://securelist.com/gitvenom-campaign/115694/

- https://www.techtarget.com/searchitoperations/definition/GitHub

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2024-37355	12/2/2025	12/2/2025	Intel(R) Graphics software	Escalation of Privilege, Denial of Service	8.8	Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.	Update latest version	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01235.html
2	CVE-2025-21355	19/2/2025	19/2/2025	Microsoft Bing	Remote Code Execution	8.6	Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network	this CVE requires no customer action to resolve	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355
3	CVE-2025-1426	19/2/2025	19/2/2025	Google Chrome on Android prior to 133.0.6943.126	Heap buffer overflow	8.8	Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.	Update to version 133.0.6943.126 or later	https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html
4	CVE-2025-27106	21/2/2025	21/2/2025	binance-trading-bot	Command Injection	7.7	Authenticated users of binance-trading-bot can achieve Remote Code Execution on the host system due to a command injection vulnerability in the `/restore` endpoint.	Update to version 0.0.100 or later	https://github.com/chrisleekr/binance-trading-bot/commit/99d464cf8ef858d441189993054ec5f5f86e6213
5	CVE-2025-1538	21/2/2025	21/2/2025	D-Link DAP-1320 version 1.00	Heap buffer overflow	9.0	A vulnerability classified as critical was found in D-Link DAP-1320 1.00. Affected by this vulnerability is the function set_ws_action of the file /dws/api/. The manipulation leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.	Since this device is no longer supported, users should consider replacing it with a newer model that still receives security updates and support from D-Link.	https://www.cvedetails.com/cve/CVE-2025-1538/

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	CISA and FBI warns Ghost ransomware is targeting critical infrastructure and businesses	19/02/2025	Ransomware, Information-stealer	The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have disclosed information about Ghost ransomware, which has impacted over 70 countries worldwide, targeting infrastructure, schools, and healthcare. The attackers exploited vulnerabilities in FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain access to the victims' organizations and deploy Cobalt Strike while elevating their privileges. They then stealthily exfiltrated critical data from within the systems before launching the ransomware attack using files such as Cring.exe, Ghost.exe, and ElysiumO.exe to encrypt the victims' machines and demand a ransom.	Updated Security Patch. Deployed Endpoint Security as Antivirus. Maintain regular system backups.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

CISA and FBI warns Ghost ransomware is targeting critical infrastructure and businesses

19/02/2025

Ransomware, Information-stealer

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have disclosed information about Ghost ransomware, which has impacted over 70 countries worldwide, targeting infrastructure, schools, and healthcare.

The attackers exploited vulnerabilities in FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain access to the victims' organizations and deploy Cobalt Strike while elevating their privileges. They then stealthily exfiltrated critical data from within the systems before launching the ransomware attack using files such as Cring.exe, Ghost.exe, and ElysiumO.exe to encrypt the victims' machines and demand a ransom.

Updated Security Patch.
Deployed Endpoint Security as Antivirus.
Maintain regular system backups.

Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

11 March 2025

Viewed 20 time

GitVenom attacks abuse hundreds of GitHub repos to steal crypto.

GitVenom attacks abuse hundreds of GitHub repos to steal crypto.

INET MANAGED SERVICES CO., LTD.

Sales Department