Cybercriminals are increasingly exploiting popular developer platforms like GitHub and GitLab to host malware and conduct credential phishing campaigns. Due to the widespread use and inherent trust placed in these platforms by organizations, many security tools do not flag their domains, creating a significant vulnerability that attackers are actively leveraging to bypass defenses.
Researchers at Cofense Intelligence have identified a significant surge in these campaigns, particularly in 2025, which accounted for a substantial portion of the total volume observed. This trend highlights a growing sophistication in attack methods, with threat actors now frequently combining malware delivery with direct credential theft.
Hackers Abuse GitHub and GitLab for Malware and Phishing
GitHub and GitLab are foundational to modern software development, serving as central hubs for code management and collaboration. Their critical role in business operations means that blocking their domains entirely is often impractical. Threat actors have capitalized on this by uploading malicious files or creating deceptive login pages within public repositories, generating links that appear legitimate and can easily circumvent secure email gateways (SEGs).
The abuse of Git repository websites has seen a steady increase since 2021. Cofense Intelligence’s analysis indicates that 95% of the identified campaigns utilized GitHub, with the remaining 5% targeting GitLab. In terms of objectives, 58% of these campaigns were focused on harvesting user credentials, while 42% aimed to distribute malware.
A concerning development is the rise of “dual-threat” attacks. One documented campaign, tracked as ATR 383659, involved victims who opened what they believed to be a PDF reader. Unbeknownst to them, this action simultaneously installed the Muck Stealer malware and directed them to a fake DocuSign page designed to steal their account credentials. This multifaceted approach significantly increases the potential damage from a single attack vector.
The implications for organizations are severe. The compromised credentials or deployed malware can lead to widespread data breaches, unauthorized access to sensitive systems, and potentially full network compromise, all initiated by a seemingly innocuous click on a trusted platform’s link.
How Attackers Deliver Malicious Payloads
Attackers commonly exploit the domains github.com and githubusercontent.com by hosting malware directly within repositories or embedding malicious code in comments on legitimate projects. When users download files from GitHub, the links often redirect through raw.githubusercontent.com, facilitating the silent download of malware in the background without raising user suspicion.
This clandestine delivery mechanism is frequently employed to deploy Remote Access Trojans (RATs). Remcos RAT currently leads in malware distribution via Git platforms, accounting for 21% of observed cases. Other prevalent RATs include Byakugan (9%), AsyncRAT (7%), and DcRAT (4%).
To evade detection by antivirus software, threat actors often package their malware within password-protected archive files, such as .zip or .7z. The password is typically included in the phishing email itself, preventing automated scanning by GitHub or GitLab from inspecting the contents. This circumvents a key security checkpoint.
In more advanced schemes, such as one detailed in ATR 404322, attackers leveraging GitLab implemented browser user agent detection to tailor their attacks. If a victim accessed the malicious link from a Windows device, they would receive a GoTo RAT. Otherwise, they would be redirected to a credential phishing page, ensuring that the attack was configured for maximum impact regardless of the target’s operating system.
Both end-users and cybersecurity professionals are urged to approach any unexpected GitHub or GitLab links with extreme caution, even if the domain appears legitimate. Organizations should prioritize implementing multi-factor authentication (MFA) across all accounts to mitigate the impact of stolen credentials. Employees should be trained to avoid opening password-protected archive files received via email.
Security teams are advised to adopt behavioral-based email analysis techniques rather than relying solely on domain reputation. Regular phishing simulation training is also crucial for enhancing end-user awareness and resilience against these evolving threats. The ongoing exploitation of trusted platforms like GitHub and GitLab underscores the dynamic nature of cyber threats and the continuous need for adaptive security strategies.