These aren’t amateur projects. The fake repositories look legit—polished READMEs, inflated commit numbers, a mix of programming languages. They’re practically begging you to download them. Some descriptions are so well-crafted they might be AI-generated. Very sneaky.
Once downloaded, the malicious code releases a nasty cocktail of malware. Remote access trojans. Info-stealers. Clipboard hijackers. The works. The payloads download additional components and start exfiltrating data through Telegram. Your system is now compromised. Congrats.
The most profitable aspect? Cryptocurrency theft. The malware monitors clipboard activity, waiting for you to copy a wallet address. Then—bam!—it substitutes the attacker’s wallet instead. One hacker wallet received 5 Bitcoin (worth about $450,000) in November 2024 alone. That’s real money vanishing into thin air.
These cybercriminals aren’t amateurs. They’ve crafted evasion techniques that would make security pros sweat. Malicious code hidden after 2,000 tabs in Python projects. Rogue functions buried in JavaScript files. Different coding tactics to dodge antivirus software. They know what they’re doing.
The targets are clear: gamers and crypto investors. People who might not scrutinize code before running it. People who see a cool project and think, “Why not?” Victims span across multiple countries with notable concentrations in Russia, Brazil, and Turkey.
The campaign has operated for at least two years. Two years! That’s a lifetime in cybersecurity terms. The hackers exploit GitHub’s popularity as a trusted platform for open-source projects. These attackers often mimic legitimate applications like Telegram bots and gaming tools to appear trustworthy. They’re counting on users’ trust and GitHub’s hands-off approach.
What’s worse is how the attacks keep evolving. The malware now includes Node.js stealers for credentials and specialized tools like AsyncRAT and Quasar backdoor. They’re adapting, improving, stealing more. And so far, they’re getting away with it.
