GitHub and GitLab, long regarded as essential tools for programmers, project managers and software developers, are increasingly being used by cybercriminals to distribute malware and credential phishing content, according to research cited in the screenshots. Because the platforms are critical to business operations, enterprise networks often cannot block them outright, creating an opening for attackers to exploit trusted infrastructure and generate malicious links that can evade traditional secure email gateways.
How Trusted Platforms Are Being Exploited
The attackers are abusing core Git platform features and relying on domains such as github.com, githubusercontent.com and gitlab.com to deliver malicious content. In campaigns involving GitHub, 53% of those abusing the platform’s domains are focused on malware delivery.
One commonly used method involves plain text file versions hosted on githubusercontent.com, which can quietly download payloads in the background without triggering the platform’s standard user interface. The report suggests that this makes the activity harder to detect within routine browsing or security workflows.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Malware Campaigns Built Around Git Repositories
They say 64% of campaigns abusing GitLab domains are built exclusively to deliver malware. Attackers are described as using password protected archive files such as .zip and .7z to evade anti malware scanners.
The material states that Remote Access Trojans and information stealers are heavily favoured in these attacks, with more than 30 malware families observed. The most prevalent payload is identified as the Remcos RAT, which accounts for 21% of the overall volume and is said to dominate GitHub attacks. Other frequently used payloads include the Byakugan stealer, Async RAT and DcRAT, which the screenshots describe as the most popular payload delivered through GitLab.
These tools are said to give attackers remote control over infected devices, allowing them to steal browser passwords or exfiltrate sensitive files for extortion.
Rise of Hybrid and Harder-to-Block Attacks
The rise of hybrid attacks as a particularly concerning development, with malware delivery and credential phishing increasingly combined into a single evasive chain. In one example, GitHub is used to deploy an information stealer, followed by a fake document pop up designed to capture credentials, this gives attackers both persistent device access and immediate credential theft.
GitLab campaigns are also described as using device detection. By analysing a victim’s browser user agent, a malicious landing page can determine which payload to serve. If the target is using Windows, the page may deliver an abused legitimate remote administration tool such as the GoTo RAT. If the page is opened from a Mac or Android device, the tactic may shift to a credential phishing portal instead.
According to Cofense research cited in the screenshots, the use of legitimate infrastructure makes mitigation especially difficult. Platforms do remove malicious content, but the volume involved can delay purges, with flagged repositories sometimes taking weeks to be removed. The report concludes that defending against the trend requires layered security measures and heightened user vigilance, as traditional blocklisting methods are proving ineffective against trusted cloud collaboration platforms.
