Hackers are increasingly abusing trusted software development platforms GitHub and GitLab to host malware and credential phishing campaigns, making defensive detection significantly harder for enterprises.
Because these Git-based platforms are deeply integrated into development and business workflows, organizations cannot simply block them at the network edge, giving threat actors a powerful, trusted delivery channel.
GitHub and GitLab repositories are essential for developers to store code, configuration files, and project documentation, but attackers now treat them as free, reputable hosting for malicious payloads and phishing sites.
By abusing this inherent trust, they generate URLs on github.com, githubusercontent.com, github.io, gitlab.com, and gitlab.io that often pass through secure email gateways and URL filters with minimal scrutiny.
Around 95% of these operations leverage GitHub domains, while about 5% abuse GitLab, reflecting GitHub’s dominance in the developer ecosystem and its attractiveness as an attack surface.
According to the report, From 2021 to 2025, abuse of Git repository websites has grown year over year, with 2025 alone accounting for roughly 45% of all observed malicious campaigns using these services.
This trend aligns with broader reporting that GitHub is facing a mounting malware problem and a surge in malicious content hosted on its infrastructure.
Credential Phishing vs Malware
Threat actors use these platforms for both credential theft and malware delivery, with a slight tilt toward phishing.
With details in ATR 383659, threat actors first used GitHub to host malware. After visiting a page that downloads Muck Stealer, a credential phishing page automatically opens.
Another 42% focus on distributing malware, typically through repository file links or raw content URLs that can be silently retrieved and executed by infected systems.
A growing subset of operations executes dual, “hybrid” attacks that chain both techniques in a single infection flow.
In these scenarios, victims may first download a remote access trojan (RAT) from a GitHub or GitLab repository, then be redirected to a phishing page that harvests account credentials, maximizing the attacker’s access even if the malware fails or is later removed.
Core GitHub domains such as github.com and raw.githubusercontent.com are heavily used for malware staging, with roughly 53% of GitHub-abusing campaigns focused on malware delivery.
The standard GitHub UI makes malicious files appear similar to legitimate project artifacts, while the raw content domain allows automated, low-profile downloads ideal for loaders, droppers, and stealer payloads.
Attackers frequently hide RATs like Remcos, Async RAT, Byakugan, and DcRAT inside password-protected archives (.zip, .7z) to evade platform-level antivirus scanning.
GitHub Pages, served via github.io, skew toward credential phishing, representing around 47% of GitHub-based abuse.
Because github.io is a long-lived, widely trusted domain, security tools may inadequately vet newly created subdomains, allowing fake login portals and redirector pages to masquerade as legitimate project sites.
About 58% of tracked campaigns deliver credential phishing content, often via GitHub Pages (github.io) or GitLab Pages (gitlab.io), where static HTML, CSS, and JavaScript are used to clone Microsoft 365, Google, and other business login portals.
Similar logic applies to gitlab.io, where GitLab Pages are abused to host phishing pages and automated redirects, sometimes guarded by CAPTCHA or anti-automation checks to keep scanners out while allowing human victims in.
Malware Families and Enterprise Impact
Overall, more than 30 malware families have been observed using GitHub and GitLab as staging or delivery points, with 42% of Git-repository abuse campaigns focused on malware instead of pure phishing.
Remcos RAT leads by volume at about 21% of campaigns, followed by Byakugan (9%), Async RAT (7%), and DcRAT, which is especially prevalent in GitLab-based attacks.
These tools enable remote control, keylogging, password theft, browser data exfiltration, and even illicit cryptocurrency mining, allowing attackers to persist, laterally move, and extort victims long after the initial email lure.
Because these campaigns piggyback on legitimate, high-reputation infrastructure, traditional SEG filtering, domain-based blocklists, and reputation scoring are often insufficient on their own.
Security teams must combine fine-grained URL inspection, behavioral analysis, and user awareness training so that employees recognize that GitHub and GitLab links in unsolicited emails may now be as dangerous as unknown domains.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
