A mysterious group of hackers has been making serious cash by uploading fake projects to GitHub, tricking users into downloading malware-ridden software. According to cybersecurity experts at Kaspersky Lab, these cybercriminals have set up hundreds of repositories filled with remote access trojans, info-stealing programs, and clipboard hijackers—all designed to compromise unsuspecting users.

Among the deceptive projects are a Telegram bot that supposedly manages Bitcoin wallets and an automation tool for Instagram accounts. Some of these fake repositories have been sitting on GitHub for over two years, quietly waiting for victims. To make their malicious software look legitimate, the hackers went the extra mile—adding detailed descriptions, instruction files, and even artificially boosting commit counts to create the illusion of active development.

One particularly nasty piece of malware is an info-stealer that grabs saved login credentials, cryptocurrency wallet details, and even browser history, sending everything straight to the hackers via Telegram. Another sneaky tool is a clipboard hijacker that swaps out copied crypto wallet addresses with ones controlled by the attackers—meaning if a victim pastes a wallet address for a transaction, they unknowingly send their funds to the hackers instead.

So far, at least one confirmed victim fell for this scam, losing 5 BTC (worth around $485,000 at the time) in November 2024. The entire operation, dubbed “GitVenom,” has been spotted targeting users worldwide, with a particular focus on Russia, Brazil, and Turkey.

Cybersecurity experts strongly advise developers to thoroughly check what a piece of software actually does before downloading and running it from GitHub. In a similar case, researchers at SecurityScorecard recently uncovered a GitHub profile linked to North Korean malware designed to hijack cryptocurrency wallets.

Bottom line? Always verify your sources before trusting software from GitHub—because not everything that looks legit is safe.