Cybersecurity experts are warning of an ongoing campaign targeting gamers and cryptocurrency investors through fake open-source projects hosted on GitHub.
This campaign, dubbed GitVenom by Kaspersky, spans hundreds of repositories and has been designed to steal personal and banking data, as well as hijack cryptowallet addresses from the clipboard.
According to Kaspersky, the infected projects include tools for automating Instagram accounts, a Telegram bot for managing Bitcoin wallets, and a crack tool for playing the game Valorant.
Although the projects appear to offer legitimate functionality, they are actually fake and designed to launch malicious payloads that steal sensitive information.
The campaign has resulted in the theft of approximately 5 bitcoins, valued at around $456,600, and has been ongoing for at least two years, with most infection attempts recorded in Russia, Brazil, and Turkey.
The malicious projects are written in various programming languages, including Python, JavaScript, C, C++, and C#, but all share the same goal of launching embedded malicious payloads.
Prominent among these modules is a Node.js information stealer that collects passwords, bank account information, saved credentials, cryptocurrency wallet data, and web browsing history, and exfiltrates it to the threat actors via Telegram.
Other malicious tools downloaded via the fake GitHub projects include remote administration tools like AsyncRAT and Quasar RAT, as well as a clipper malware that substitutes wallet addresses copied into the clipboard with an adversary-owned wallet.
“As code sharing platforms like GitHub are used by millions of developers worldwide, threat actors will continue to use fake software as an infection lure in the future,” warned Kaspersky researcher Georgy Kucherin.
“It is crucial to handle third-party code with care and thoroughly check its actions before running it or integrating it into existing projects,” Kucherin added.
This development comes as Bitdefender revealed that scammers are exploiting major e-sports tournaments like IEM Katowice 2025 and PGL Cluj-Napoca 2025 to target players of the popular video game Counter-Strike 2 (CS2) with the intent to defraud them.
“By hijacking YouTube accounts to impersonate professional players, cybercriminals are luring fans into fraudulent CS2 skin giveaways, resulting in stolen Steam accounts, cryptocurrency theft, and the loss of valuable in-game items,” Bitdefender said.
