The trusted developer hubs GitHub and GitLab, long considered pillars of the open-source software ecosystem, are now facing a wave of targeted attacks. Hackers have been creating fake repositories that appear legitimate but contain malicious payloads, researchers warn. These payloads, once downloaded, often install remote access Trojans and spyware, giving attackers a direct line into victims’ devices.
Analysts at Positive Technologies reported that in the first half of 2025, malware was the weapon of choice in 63 percent of documented cyberattacks — with website-based distribution nearly doubling from the year before. This trend reflects a shift: rather than attacking end-users directly, criminals are focusing on developers themselves, hoping to compromise the very code that underpins modern software.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
How Fake Projects Lure Victims
The strategy is deceptively simple. Attackers host projects that look like popular open-source tools or libraries. By exploiting typosquatting — setting up malicious packages with names nearly identical to trusted ones — they ensnare developers who mistype a download command.
In Russia, Brazil, and Turkey, such tactics have already been used to target cryptocurrency players and investors, with malware designed to siphon wallet addresses, banking credentials, and personal data. In the United States, Europe, and Asia, at least 233 victims were compromised by a North Korean Lazarus Group campaign, which implanted a malicious JavaScript program in developer environments to silently harvest system information.
Supply Chains Under Siege
Experts caution that the implications go far beyond individual victims. By introducing malware into widely used development tools, attackers create a ripple effect across entire supply chains. Projects adopted by thousands of organizations could be compromised in one sweep.
“APT groups’ tactics are evolving from mass phishing to targeted attacks on developers,” said Anastasia Osipova, a junior analyst at Positive Technologies. “By embedding malware into development processes, attackers strike a double blow — harming the developers themselves and the projects they support.”
Recent incidents underscore the risks. Earlier this year, malicious packages dubbed deepseek and deepseekai were found in the PyPI repository, targeting machine learning specialists. Once installed, they exfiltrated sensitive data and environment variables, effectively turning developers’ own tools into surveillance devices.
An Escalating Global Risk
What is unfolding on GitHub, GitLab, and other open repositories reflects a larger shift in cyberwarfare. No longer content with phishing campaigns and ransomware, attackers are burrowing into the foundations of software development itself.
For IT companies and governments, the threat is twofold: compromised tools could give adversaries access to critical infrastructure, while also eroding trust in open-source collaboration — the backbone of modern innovation. Security researchers say such attacks will become more frequent as long as developer platforms remain open, decentralized, and globally accessible.
The challenge now is not only technological but cultural: how to preserve the openness of coding communities while erecting stronger defenses against infiltration. For the world’s developers, the gatekeepers of the digital age, the battleground has shifted decisively to their own repositories.