Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Attackers Abuse GitHub, GitLab to Host Malware and Phishing Campaigns
Threats

Attackers Abuse GitHub, GitLab to Host Malware and Phishing Campaigns

Key Takeaways Cybercriminals are increasingly leveraging trusted developer platforms GitHub and GitLab to host malware and phishing campaigns. The inherent trust in these platforms by corporate...

Marcus Rodriguez
Marcus Rodriguez
April 10, 2026 3 Min Read
31 0

Key Takeaways

  • Cybercriminals are increasingly leveraging trusted developer platforms GitHub and GitLab to host malware and phishing campaigns.
  • The inherent trust in these platforms by corporate security tools allows malicious links to bypass secure email gateways.
  • Attacks often combine credential theft with malware delivery, with GitHub being abused in 95% of identified campaigns.
  • The volume of these attacks has surged, with 2025 alone accounting for 45% of total recorded incidents.
  • Organizations must implement multi-factor authentication, enhance email analysis, and conduct regular security awareness training.

Cybercriminals are actively exploiting GitHub and GitLab, two widely used and generally trusted platforms for software development, to distribute malicious software and harvest user credentials. This tactic leverages the implicit trust organizations place in these domains, often allowing nefarious content to bypass standard security defenses and reach unsuspecting users.

Table Of Content

  • Key Takeaways
  • How Attackers Deliver Their Payloads
  • What You Should Do

GitHub and GitLab are foundational to modern software development, serving as critical repositories for code storage, sharing, and version control. Consequently, most enterprise security solutions are configured to permit traffic from these platforms, recognizing that blocking them would severely impede business operations. This established trust creates a significant vulnerability, which threat actors are now strategically exploiting.

By embedding malicious files or crafting convincing fake login pages within public repositories, attackers generate URLs that appear legitimate. These deceptive links are then used in phishing emails, effectively circumventing secure email gateways (SEGs) that typically flag suspicious domains.

Data compiled by Cofense Intelligence researchers reveals a consistent annual increase in the abuse of Git repository websites since 2021. Notably, the year 2025 alone accounted for 45% of the total recorded campaign volume, indicating a rapid escalation in this attack vector. Researchers also observed a shift in attacker methodology, with threat actors increasingly integrating both malware delivery and credential phishing into single, multi-pronged attacks.

An analysis of the studied campaigns showed that GitHub was abused in 95% of incidents, with GitLab accounting for the remaining 5%. In terms of attack objectives, 58% of campaigns focused on stealing credentials, while 42% were designed to deliver malware. Of particular concern is the rise of hybrid attacks combining both threats. One documented case, tracked as ATR 383659, involved victims unknowingly installing Muck Stealer malware after opening what appeared to be a PDF reader, while simultaneously being redirected to a fraudulent DocuSign page designed to capture login credentials.

The ramifications of these attacks extend beyond individual users, posing substantial risks to organizations across all sectors. Potential consequences include extensive data theft, unauthorized access to corporate accounts, and even network-wide compromises, all initiated by a single click on what appears to be a benign GitHub or GitLab link.

How Attackers Deliver Their Payloads

Threat actors weaponize github.com or githubusercontent.com by either directly hosting malware within repositories or attaching malicious files to comments on legitimate projects. A common technique involves exploiting the fact that github.com download links often redirect through raw.githubusercontent.com for direct file retrieval. This allows malware to be fetched in the background without overt user interaction.

This silent delivery mechanism is frequently employed to deploy Remote Access Trojans (RATs). Remcos RAT leads the pack, accounting for 21% of malware delivered via Git platforms, followed by Byakugan at 9%, AsyncRAT at 7%, and DcRAT.

To evade antivirus detection, attackers routinely package their malware within password-protected .zip or .7z archive files. The password is typically included in the phishing email, meaning automated scanning by GitHub or GitLab cannot access or inspect the contents of the archive.

In a more sophisticated example, documented under ATR 404322, attackers utilized GitLab in conjunction with browser user agent detection to customize the attack based on the victim’s device. If the target accessed the link from a Windows machine, a GoTo RAT was delivered. Conversely, if the device was not Windows, the victim was redirected to a credential phishing page, ensuring a successful outcome regardless of the target’s operating environment.

What You Should Do

  • Exercise extreme caution with any GitHub or GitLab link received via unexpected emails, even if the domain appears authentic.
  • Implement and enforce multi-factor authentication (MFA) across all user accounts to mitigate the impact of stolen credentials.
  • Educate employees to avoid opening password-protected archive files received via email, especially from unknown or suspicious sources.
  • Security teams should deploy behavioral-based email analysis tools rather than relying solely on domain reputation for threat detection.
  • Regularly conduct phishing simulation training to enhance end-user awareness and improve their ability to identify and report suspicious communications.
  • Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

    Tags:

    AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

MuddyWater uses Russian MaaS in new ChainShell attacks

Next Post

Critical Vulnerabilities in ASUS Routers Allow Remote Code Execution

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us