Kaspersky identifies malware framework targeting cryptocurrency users and developers, turning trusted open-source code into a delivery system for wallet theft and credential grabs.
- GitHub trust abused
- Wallet seed phrases targeted
- Fake projects, real malware
- Hundreds of victims reported by Kaspersky
The playbook is old and ugly: package malware as something useful, put it where people already trust it, and let curiosity do the rest. In Kaspersky’s reporting, the lure was GitVenom: Malicious GitHub Repositories Target users who cloned, ran, or built the code.
That matters because GitHub is not some shady file dump in a dark corner of the web. It is one of the default trust machines for developers. Attackers know a polished README, a convincing project name, and a bit of fake activity can make a repo look harmless. In crypto, where people often depend on third-party tools, wallet utilities, bots, and scripts, that trust can get expensive fast.
What Kaspersky says was found
Kaspersky identifies the campaign as GitVenom. In its reporting, the company says attackers built hundreds of GitHub repositories containing fake projects to lure victims into running malicious code. The fake projects reportedly included an Instagram automation tool, a Telegram bot for managing Bitcoin wallets, and a hacking tool for the game Valorant.
This was not just random nuisance infection. According to Kaspersky, the Kaspersky reveals a new malicious framework targeting cryptocurrency users was built to steal sensitive data, including wallet seed phrases and browser credentials. A seed phrase is the recovery phrase that can restore access to a crypto wallet. If an attacker gets it, they usually get the funds too. No drama, no undo button, just theft.
Kaspersky also says the repositories were made to look credible, with polished documentation, tags, commit activity, and other signals that make a project appear active. Some of the README files may have been AI-generated, which is a pretty modern insult: machine-written fluff helping machine-assisted theft.
How the trap worked
The scam works because people use trust signals to judge whether code is safe. They check the repo description, scan the setup instructions, look at the commit history, and assume a project that looks organized is probably fine. Attackers exploit that habit by hiding malicious code in places a casual reviewer may not spot.
According to Kaspersky, the infection method varied by programming language. In Python projects, malicious code could be concealed in obfuscated lines or triggered when the script runs. In JavaScript projects, a malicious function could decode Base64 data and execute code. In C, C++, and C# projects, the payload could be embedded in Visual Studio project files so it runs at build time, meaning when the user compiles the software rather than when they first open the repository.
That last part is especially nasty. A victim may think they are simply building a tool, but the build process itself is where the compromise happens. The malware does not need a flashy exploit if it can wait until the user presses the wrong button with confidence.
Why crypto users are such an attractive target
Crypto users are attractive targets for a simple reason: the payoff can be immediate and the theft is often irreversible. Once seed phrases, exchange logins, or browser-stored credentials are stolen, attackers can move quickly and drain assets before the victim has time to react.
That is why malware campaigns keep circling around wallets, browser extensions, automation tools, and trading utilities. Crypto users often need to interact with third-party software more than the average person, which increases the attack surface. Convenience is great right up until it becomes the attacker’s favorite feature.
There is also a broader lesson here for open-source ecosystems. The problem is not that GitHub exists. The problem is that attackers can fake the same signals people use to judge legitimacy: stars, tags, commits, documentation, and project age. Once those signals can be manufactured at scale, trust stops being a defense and starts becoming bait.
What Kaspersky says the framework could do
Kaspersky says the framework included components that could steal wallet seed phrases, monitor Chromium-based browsers, and deploy additional malware. The company also says the campaign could record video, steal credentials, download malicious browser extensions, and execute remote commands.
That modular setup matters. It suggests this was not a one-off prank or a disposable scam kit. A modular framework can be updated, reused, and expanded across new lures, which is a lot more efficient than tossing a single payload into the wind and hoping it sticks.
Kaspersky says the campaign affected hundreds of victims across more than 25 countries, with the most affected including Brazil, Vietnam, Canada, Mexico, and Türkiye. Those figures reflect Kaspersky’s own telemetry and analysis, not some universal census of all crypto malware victims on Earth. Still, the reach is wide enough to show this was not a tiny nuisance operation.
The company also says code artifacts suggest links to Russian-speaking cybercriminals. That is an indicator, not courtroom proof, so it should be read as attribution context rather than a final verdict.
Why the naming gets messy
There is some naming confusion around the malware family in Kaspersky’s materials. Securelist uses GitVenom for the campaign, while other reporting ties the framework to names such as OkoBot and OkoSpyware. The cleanest way to read it is that GitVenom is the campaign name, while the other labels may refer to the framework or a component within it.
That kind of overlap is common in cybersecurity. The branding can get messy, but the behavior is what matters. If code steals wallet data, browser credentials, and remote access, the exact sticker on the box matters a lot less than the fact that the box is booby-trapped.
What users should take from this
The lesson is not “GitHub is unsafe” or “crypto is doomed.” The lesson is that open-source trust can be weaponized, and crypto users are still too quick to run code from strangers if the repository looks tidy enough.
A slick README is not a security review. A busy-looking commit history is not proof of safety. And a repository with a few badges and a clean layout is not your new best friend.
Kaspersky recommends keeping security software enabled, avoiding disabling antivirus to install software, keeping operating systems and apps updated, using strong unique passwords and multi-factor authentication, and storing sensitive data securely. For crypto users, that last part means keeping seed phrases offline and never pasting them into apps, scripts, or repositories that ask for them. If a tool wants your recovery phrase, the tool is the problem.
The more specific defense here is simple: verify who published the repository, inspect the project history, treat setup instructions from unknown code with suspicion, and avoid running third-party software that demands wallet access or browser permissions without a very good reason. If a repo promises convenience while asking for privileged access, that is not efficiency. That is a trap with better branding.
Key questions and quick answers
-
What did Kaspersky identify?
Kaspersky identified GitVenom, a malicious campaign that used fake GitHub repositories to target crypto users and developers. -
Why is GitHub such an effective lure?
Because developers trust the platform, and attackers can fake the credibility signals people rely on, such as documentation, commits, tags, and project activity. -
What was the malware after?
Kaspersky says it was after wallet seed phrases, browser credentials, and other sensitive data that can be used to steal funds or access accounts. -
How widespread was the campaign?
Kaspersky says it affected hundreds of victims across more than 25 countries, including Brazil, Vietnam, Canada, Mexico, and Türkiye. -
Who is most at risk?
Crypto users, wallet holders, and developers who run or compile code from third-party repositories are especially exposed.
The deeper problem is trust at scale. Open-source software depends on people believing what they see, and crypto depends on people keeping access keys out of the wrong hands. Attackers understand both systems well enough to exploit them with fake projects, polished documentation, and malware that hides in plain sight. That is the ugly part. The good part is that the defense is still basic discipline: verify, inspect, and do not hand your keys to a repo just because it looks organized.
Further reading
More context on the same playbook: fake repos, supply-chain abuse, and the messier side of GitHub trust.
- Kaspersky uncovers OkoBot framework targeting crypto wallets
- Kaspersky exposes hidden malware on GitHub stealing personal data and bitcoin
- Software supply-chain attacks in crypto
- Fake GitHub projects used to steal crypto, Kaspersky warns
- OpenClaw founder slams GitHub’s vulnerability system over AI-generated slop crisis
- Crypto wallet security crisis: seed phrases fail, hardware wallets rise
- EIPsInsight’s analytics tool: automating GitHub PR and issue tracking