Security News > 2024 > April > Malicious Visual Studio projects on GitHub push Keyzetsu malware
Threat actors are abusing GitHub automation features and malicious Visual Studio projects to push a new variant of the "Keyzetsu" clipboard-hijacking malware and steal cryptocurrency payments.
Users downloading files from those repositories become infected with malware hidden within Visual Studio project files and stealthily executed during the project build.
According to a new report by Checkmarx, the malware campaign uses multiple GitHub repositories named after popular topics and projects.
The malware payload is usually hidden inside build events in malicious Visual Studio project files, although Checkmarx has seen some variations.
The malicious project below uses the PreBuildEvent to write malware to the disk and execute it before the project is compiled.
On Windows systems, the payload creates a scheduled task named "Feedback API VS Services Client," which executes the malware without confirmation prompts at 4 AM. To protect against supply chain attacks and malicious code hosted on GitHub, review repository activity for suspicious patterns, such as many commits or stars received by accounts all created around the same time.