Cybercriminals are increasingly targeting two of the most reputable developer platforms, GitHub and GitLab, to disseminate malware and harvest login credentials from unsuspecting users. This alarming trend highlights a significant vulnerability as these platforms are integral to daily operations for many organizations.
Exploitation of Trusted Developer Platforms
GitHub and GitLab are pivotal in the realm of software development, serving as repositories for code management and collaboration. Due to their essential role, security solutions often extend inherent trust to these domains, inadvertently creating a gateway for threat actors to infiltrate corporate environments.
Attackers exploit this trust by uploading harmful files or deceptive login pages, making phishing attempts indistinguishable from legitimate content. This tactic allows malicious emails to bypass secure email gateways (SEGs) without detection, posing a significant threat to corporate security.
Rising Threat of Phishing Campaigns
Research from Cofense Intelligence indicates a sharp increase in the misuse of Git repository sites since 2021. In 2025, nearly half of all recorded phishing campaigns utilized these platforms, underscoring a rapid escalation in this method’s popularity among cybercriminals.
Of the campaigns analyzed, a staggering 95% targeted GitHub, while 5% focused on GitLab. Credential theft was the aim of 58% of these attacks, with the remaining 42% dedicated to malware deployment. Particularly concerning is the emergence of dual-threat attacks that combine both strategies into a single campaign.
Methods and Countermeasures
Attackers often host malware directly within Git repositories or attach malicious files to comments on legitimate projects. GitHub download links, which redirect through raw.githubusercontent.com, facilitate the silent delivery of malware without user interaction. Remote Access Trojans (RATs) like Remcos RAT are commonly deployed using these tactics, accounting for a significant portion of the malware volume.
To evade detection, malware is frequently packaged within password-protected archive files, preventing automated scanning from accessing the contents. Advanced attacks have even leveraged device-specific targeting, delivering different payloads based on the victim’s operating system.
Organizations must adopt robust security measures to mitigate these risks. Implementing multi-factor authentication (MFA) can reduce the impact of credential theft, and employees should be cautious of unsolicited GitHub or GitLab links, especially those accompanied by password-protected files. Security teams should prioritize behavioral-based email analysis and conduct regular phishing simulations to enhance user awareness.
Stay informed by following us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google for timely updates.
