In a growing cybersecurity concern, trusted developer platforms are now being exploited by attackers to launch malware and credential phishing campaigns, making detection and prevention more difficult for organisations.
Platforms like GitHub and GitLab, widely used by developers and enterprises, are increasingly being targeted. Since these platforms are essential for business operations, companies often cannot block them, allowing attackers to misuse their trusted infrastructure and bypass traditional email security systems.
Attackers are exploiting core features of these platforms, using domains such as github.com, githubusercontent.com, and gitlab.com to deliver harmful content. Reports indicate that 53% of malicious activity on GitHub domains is focused on malware delivery.
One common tactic involves hosting plain text files on githubusercontent.com. These files can silently download malicious payloads in the background without triggering visible alerts, making them harder to detect during normal browsing.
The threat is also significant on GitLab, where 64% of campaigns are designed purely for malware distribution. Attackers often use password-protected .zip and .7z files to bypass anti-malware systems.
The attacks heavily rely on Remote Access Trojans and information stealers, with over 30 malware families identified. The most dominant payload is Remcos RAT, responsible for 21% of overall activity and widely used in GitHub-based attacks. Other common threats include Byakugan stealer, AsyncRAT, and DcRAT, which are frequently seen in GitLab campaigns.
These malicious tools allow attackers to take control of infected devices, steal browser credentials, and extract sensitive data for extortion.
A major concern is the rise of hybrid attacks, where malware and phishing are combined. In one example, GitHub is used to deploy an information stealer, followed by a fake document pop-up designed to capture login details, giving attackers both device access and stolen credentials.
GitLab campaigns are also using device detection techniques. By analysing the user’s browser, attackers can deliver targeted payloads. Windows users may receive tools like GoTo RAT, while Mac or Android users may be redirected to phishing pages.
According to research by Cofense, the use of legitimate platforms makes these threats harder to block. Although harmful content is eventually removed, high volumes can delay action, with some repositories taking weeks to be taken down.
The report highlights that tackling this issue requires layered security measures and increased user awareness, as traditional blocklisting methods are no longer effective.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
