Crypto Threat: Malware Infiltrates Github Cloning Thousands of Repos

The developer platform Github has been inundated with malware which has infiltrated tens of thousands of repositories.

As many as 35,000 Github repositories have been cloned with malware according to a security researcher.

The widespread malware attack did not target crypto repositories (repos) specifically, but they have been among those impacted.

Software engineer Stephen Lacy alerted the crypto community to the incursion on Aug. 3.

Cloning Github repos

Tech portal Bleeping Computer reported that the repos were not hacked but had been copied with their clones altered to include the malware. Cloning open source code is a common practice among developers, however, the attackers have injected malicious code and links into legitimate projects to target unsuspecting developers.

Several projects from crypto, Golang, Python, JavaScript, Bash, Docker, and Kubernetes have been affected by the attack, the researcher noted.

While reviewing a project he had found from a Google search, the engineer noticed a malicious URL in the code. Scanning Github repos for this URL returned more than 35,000 results.

Bleeping Computer said that more than 13,000 search results were from a single repository called ‘redhat-operator-ecosystem.’ The malicious URL “exfiltrated a user’s environment variables but additionally contained a one-line backdoor,” the report added.

These environment variables can contain sensitive data such as API keys, tokens, Amazon AWS credentials, and crypto keys. The malware also allows remote attackers to execute arbitrary code on the systems of all those who install and run the clones.

The majority of the cloned repos had appeared within the past month, the report stated.

Github confirmed that the original repositories were not compromised and it had cleaned up or quarantined the clones.

Last month, BeInCrypto reported that a new strain of malware written in Rust was doing the rounds. Luca Stealer targets Windows operating systems and steals sensitive information such as crypto wallet information. The malware was also distributed on Github.

Miserable week in crypto

DeFi researcher Miles Deutscher pointed out that it has not been a great week in crypto. Earlier this week the Nomad bridge was exploited for $190 million and a few hours after, around 8,000 Solana wallets were hacked resulting in the theft of an estimated $8 million.

Markets appear to be unaffected though as total capitalization has gained 1.7% on the day to reach $1.12 trillion at the time of writing.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.

Share Article
Martin Young

Martin has been covering the latest developments on cyber security and infotech for two decades. He has previous trading experience and has been actively covering the blockchain and crypto industry since 2017.

Follow Author