A hacker gained access to the GitHub account of the Syscoin cryptocurrency and replaced the official Windows client with a version containing malware.
The poisoned Syscoin Windows client contained Arkei Stealer, a malware strain specialized in dumping and stealing passwords and wallet private keys. This malware is also detected as Trojan:Win32/Feury.B!cl.
Syscoin developers are now warning Syscoin users who downloaded version 22.214.171.124 of the Syscoin client between June 09th, 2018 10:14 PM UTC and June 13th, 2018 10:23 PM UTC that their systems might be infected with malware.
The affected files are (version number included in the file name is 3.0.4, but they install version 126.96.36.199):
Hackers only tampered with the Windows client and no other files available in the v188.8.131.52 release, which also included Mac and Linux clients, along with the adjacent source code.
The Syscoin clients are installed on an operating system and allow users to run a Syscoin node, which they can use to mine new Syscoin cryptocurrency or manage Syscoin funds.
The incident came to light yesterday when the Syscoin team received a warning from users that Windows Defender SmartScreen was marking downloads of the Syscoin Windows client as malicious.
After a thorough investigation of the report, the Syscoin team discovered that a hacker compromised one of its developers' GitHub accounts, and took actions to remove the malicious files and warn users.
Users who downloaded the Syscoin client between the above-mentioned interval but did not install it are advised to delete it and redownload a clean version.
While there are online guides with instructions on how to remove this particular malware strain, it's probably a better idea if users wiped and reinstalled the entire OS, just to be on the safe side.
The Syscoin team also announced that all of its developers with access to its GitHub account would also be forced to use two-factor authentication (2FA) and perform routine (file signature) checks of the files offered for download to detect similar incidents where hackers replace files in the future.