Kaspersky researchers identified a new malware campaign targeting crypto investors through fraudulent GitHub repositories and social engineering. The attackers pose as legitimate open-source projects, tricking developers and crypto users into downloading code that drops an infostealer on the host machine.
Why it matters
Open-source distribution has become one of the most effective delivery channels for crypto-focused malware because the trust model is built on reputation rather than verification. A repo that looks professional, has plausible commit history, and references a real project name is enough to get past a hurried download. Seed phrases, browser wallet extensions, and exchange credentials all live on the same machines developers use to clone a repo, so a single bad pull is enough to drain funds.
Market impact
Crypto-specific losses from stealer malware climbed sharply through 2025, and developer-targeted supply chain attacks have produced some of the year's largest individual incidents. The recurring read for investors is operational: keep cold storage off the same machine used for development, scope token approvals, and treat every GitHub download as untrusted until verified.
Frequently asked questions
-
What did Kaspersky actually discover?
Kaspersky researchers identified a new malware campaign targeting crypto investors through fraudulent GitHub repositories and social engineering, posing as legitimate open-source projects to distribute an infostealer.
-
How does the attack reach crypto users?
Attackers publish fake repositories that look like legitimate projects. When a developer or crypto user clones the repo and runs the code, it drops an infostealer on the host machine.
-
What does the malware try to steal?
The infostealer targets browser wallet extensions, exchange credentials, and any seed phrases stored on the infected machine.
-
Why is GitHub a useful delivery channel for crypto malware?
Open-source trust is built on repository reputation rather than verification. A professional-looking repo with plausible commit history can pass a hurried download without raising suspicion.
-
How can crypto users reduce the risk?
Keep signing keys on air-gapped hardware, scope token approvals tightly, and treat unfamiliar GitHub downloads as compromised until independently verified.
CoinTelegraph