Market Prices

BTC Bitcoin
$64,664.9 +1.12%
ETH Ethereum
$1,865.85 +1.24%
SOL Solana
$75.89 +0.92%
BNB BNB Chain
$569.1 +0.21%
XRP XRP Ledger
$1.09 +0.47%
DOGE Dogecoin
$0.0725 -0.25%
ADA Cardano
$0.1670 -0.30%
AVAX Avalanche
$6.59 -0.56%
DOT Polkadot
$0.8364 -1.41%
LINK Chainlink
$8.34 +0.94%

Event Calendar

{{年份}}
18
03
unlock Sui Token Unlock

Team and early investor shares released

28
03
unlock Arbitrum Token Unlock

92 million ARB released

12
05
halving BCH Halving

Block reward halving event

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

💡 Smart Money

0x95b4...d191
Market Maker
+$0.2M
63%
0x8b6a...44cc
Institutional Custody
+$2.6M
73%
0x7256...d656
Early Investor
+$0.6M
91%

🧮 Tools

All →

The Ghost in the Repo: How GitVenom Is Weaponizing Open Source Trust to Drain Wallets

BullBoy
Macro

The terminal flashes green. The developer, a DeFi engineer in Berlin, has just cloned what looks like a promising trading bot from GitHub. The README is polished—AI-generated, but he doesn't know that yet. He runs the setup script. Nothing happens. No error. No output. He shrugs and closes the laptop. But deep in his system, a Python script is silently copying his Bitcoin wallet directory, encrypting the data, and sending it to a server in Eastern Europe.

This is not a hypothetical. Over the past 30 days, Kaspersky’s threat intelligence team has flagged over 200 fake GitHub repositories—all part of a campaign they’ve dubbed GitVenom. The targets? Crypto investors and developers. The payload? Infostealers designed to exfiltrate private keys, wallet files, and browser-stored passwords. And the weapon of choice for credibility? AI-generated documentation.

Volatility isn't the real trap. The trap is forgetting why you started the dance. In crypto, we obsess over price swings, but the real risk has always been at the code level. GitVenom is the latest reminder that the dance floor is rigged.


## Context: Why Now? The timing of GitVenom’s discovery is no coincidence. We’re in a bear market. Hype cycles have quieted. Developers are building, and investors are hunting for alpha in obscure tools. Attackers know this. When the market is quiet, security vigilance drops. People let their guard down—they just want to find the next edge.

Kaspersky’s report, published earlier this week, details a sophisticated supply chain attack. The attackers created hundreds of GitHub repositories—each appearing to offer legitimate crypto utilities: arbitrage bots, mining scripts, wallet recovery tools. But every single repo contained hidden malicious code. To make the traps believable, they used large language models (LLMs) to generate convincing README files, documentation, and even fake issue threads. The result? Repos that look active, professional, and trustworthy.

I’ve been watching this space since the ICO days. Don't regret the dance. Back in 2017, we danced with whitepapers. Now we dance with repositories. The steps change, but the fall remains the same.


## Core: The Anatomy of GitVenom Let’s get into the technical meat. Based on the Kaspersky analysis and my own experience auditing code in the cybersecurity trenches, here’s how GitVenom operates.

### 1. The Bait Attackers identify high-value keywords: “Uniswap arbitrage bot,” “Solana MEV scanner,” “Bitcoin wallet recovery seed phrase finder.” They register these as new GitHub repos, using stolen or fresh accounts. The repo name often mimics popular projects—like flashloan-arbitrage-bot-v2. They seed the repo with multiple files to appear active: a src/ folder, a tests/ folder, a requirements.txt. To the untrained eye, it looks like a real project under development.

### 2. The AI-Generated Gloss The README is the hook. It’s written in perfect English, explains the project’s value proposition, includes installation instructions, and often features a fake star count (obtained through bot networks). Some repos even link to a fabricated Medium article or Twitter thread. The attackers are investing in realism—because the payoff is worth it.

### 3. The Payload Inside the code, the malicious logic is hidden. Common techniques include: - Base64-encoded strings that decode to a command to download a second-stage payload. - Steganography: the malware hides inside seemingly innocent image files within the repo. - Obfuscated Python scripts that, when executed, check for the presence of common wallet directories: ~/.bitcoin/, ~/.ethereum/, ~/.solana/, as well as browser storage for browser-based wallets like MetaMask, Phantom, and Keplr.

Once the script finds wallet files, it exfiltrates them to a hardcoded IP or a Pastebin-like service. Some versions also install a keylogger to capture passwords typed after execution.

### 4. The Scale 200 repositories is not a small operation. It suggests either a coordinated group or a highly automated pipeline. The attackers are using APIs to create repos, push code, and manage multiple GitHub accounts. This is industrial-scale phishing, repackaged as open-source.

The Ghost in the Repo: How GitVenom Is Weaponizing Open Source Trust to Drain Wallets

### 5. The Infection Vector Most victims are developers who run the code locally. But a more dangerous vector exists: if a developer unwittingly includes a malicious dependency from one of these repos into a larger project, the infection spreads downstream. Imagine an open-source DeFi protocol that incorporates a compromised library—then every user of that protocol becomes a target. This is the supply chain nightmare.

The chain never lies, but the GitHub repo might.


## Contrarian: The Unreported Angle Here’s what most coverage misses: GitVenom is not just a malware campaign; it’s a stress test on the ideological foundation of open source in crypto. We built this industry on “trust the code, not the person.” But code can lie. And now, AI makes it easy to fabricate entire projects that pass the sniff test.

The contrarian view: The real threat isn’t wallet theft—it’s the erosion of trust in the GitHub ecosystem. If every promising new tool could be a honeypot, developers will hesitate to use anything that isn’t audited by a major firm. Innovation slows. The permissionless nature of crypto suffers.

Moreover, the attack exposes a blind spot in institutional adoption. Institutions require code audits, but they often rely on the same open-source libraries that small teams use. A single compromised dependency can cascade. In 2025, with ETFs and regulated custody, the stakes are higher than ever.

Finally, note the attacker’s choice of target: Bitcoin wallets. Not smart contracts, not DeFi pools. They want the ultimate store of value—the hardest money. This suggests a focus on long-term holders, not traders. The attackers know that patience pays.


## Takeaway: What to Watch Next GitVenom will not be the last. The playbook is now public. Expect copycats. Expect variants targeting npm and PyPI. Expect attackers to use AI to generate fake conversation histories in GitHub issues to boost credibility.

But here’s the forward-looking thought: The crypto community must evolve its verification rituals. We need on-chain provenance for open-source code. We need developers to cryptographically sign their commits with wallets that have on-chain reputation. We need tools that analyze repo freshness, contributor history, and code similarity against known malware databases.

The Ghost in the Repo: How GitVenom Is Weaponizing Open Source Trust to Drain Wallets

Until then, every git clone is an act of faith. And faith, in a bear market, is expensive.


Based on my years in cybersecurity—from tracing phishing rings in 2017 to covering DeFi summer—I’ve learned that the worst hacks aren’t the ones that break the chain. They’re the ones that break the trust.

Fear & Greed

28

Fear

Market Sentiment

Altseason Index

43

Bitcoin Season

BTC Dominance Altseason

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,664.9
1
Ethereum ETH
$1,865.85
1
Solana SOL
$75.89
1
BNB Chain BNB
$569.1
1
XRP Ledger XRP
$1.09
1
Dogecoin DOGE
$0.0725
1
Cardano ADA
$0.1670
1
Avalanche AVAX
$6.59
1
Polkadot DOT
$0.8364
1
Chainlink LINK
$8.34

🐋 Whale Tracker

🔴
0xbf39...9a5c
1h ago
Out
5,699,684 DOGE
🟢
0xf32b...dbd7
2m ago
In
7,506,404 DOGE
🔴
0xad3d...e130
12h ago
Out
4,936,592 DOGE