HomeBitcoinMultiple malware attacks are affecting GitHub projects, including cryptocurrency projects.

Multiple malware attacks are affecting GitHub projects, including cryptocurrency projects.


The developer who discovered the vulnerability asked other developers to sign their revisions using the GPG key so that the project’s revision history could be checked.

On a day when thousands of wallets with Solana addresses had millions of dollars’ worth of funds stolen, the important developer platform GitHub came under a pervasive malware attack and reported 35,000 “code hits.”

Stephen Lucy, a GitHub developer who first reported the incident earlier on Wednesday, highlighted the attack’s broad reach. The problem was discovered by the developer as he was looking over a project that he had located via Google.

The attack has so far been discovered to affect a number of projects, including crypto, Golang, Python, JavaScript, Bash, Docker, and Kubernetes. The NPM script, a convenient way to group common shell commands for a project, the install documentation, and the docker images are the targets of the malware attack.

The attacker first makes a fake repository (a repository contains all of the project’s files and each file’s revision history) and pushes clones of legitimate projects to GitHub in order to trick developers and gain access to crucial data. The following two screenshots, for instance, display this legitimate crypto miner project and its clone.

Original crypto mining project. Source: Github

Cloned crypto mining project. Source: Github

These “pull requests,” which permit developers to inform others about changes they have pushed to a branch in a repository on GitHub, were used to push many of these clone repositories.

The entire environment variable (ENV) of the script, application, or laptop (Electron apps) is sent to the attacker’s server as soon as the developer succumbs to the malware attack. The ENV contains a variety of keys, such as access keys for Amazon Web Services, crypto keys, and security keys.

The problem has been reported to GitHub by the developer, who also gave developers the advice to GPG-sign any revisions they make to the repository. GPG keys provide a way to confirm that all revisions come from a reputable source, adding an extra layer of security to GitHub accounts and software projects.


Leave a Reply


Argo Blockchain Sells Bitcoin Mining Facility to Galaxy Digital Holdings in Struggle to Stay Afloat.

The Bitcoin mining crisis continues as miners continue to sell their facilities. Argo Blockchain saw its shares rise in London trading yesterday after agreeing to...

Cryptocurrency Winter to Last “At Least One More Year”, Says Octopus Network Founder.

Octopus Network, a multi-chain cryptocurrency network based on the NEAR protocol, has laid off around 40% of its core team and reduced salaries for the...

MicroStrategy Boosts Bitcoin Holdings with $42.8 Million Purchase.

MicroStrategy, the company co-founded by Michael Saylor, has announced that it has made further purchases of Bitcoin since November 1st. According to today's report, the...

China’s CBDC wallet relies on an age-old custom to increase adoption.

The digital yuan wallet app now includes a traditional Chinese method of donating money that has gone virtual with the rise of digital payments. China's wallet...

Follow us


Most Popular

%d bloggers like this: