Malware Spreads through Code Repositories on GitHub and GitLab
Research Warns of Rising Malware Delivery Through GitHub and GitLab
The exploitation of GitHub and GitLab by cybercriminals has reached alarming levels, with the two platforms being used to distribute malware and phishing content.
According to recent research, 64% of campaigns abusing GitLab domains are built exclusively to deliver malware, while 53% of those abusing GitHub domains focus on malware delivery.
Malware Families Observed
- Password-protected archive files such as ZIP and 7-Zip, which can evade anti-malware scanners.
- Remote Access Trojans (RATs)
- Information stealers, with over 30 malware families observed.
Prevalent Payloads
The most prevalent payload is the Remcos RAT, accounting for 21% of the overall volume and dominating GitHub attacks.
Attack Tactics
- Hybrid attacks combining malware delivery and credential phishing into a single evasive chain.
- Device detection techniques, analyzing a victim’s browser user agent to determine which payload to serve.
- Delivering a legitimate remote administration tool, such as the GoTo RAT, or a credential phishing portal based on the device type.
Defending Against the Threat
Traditional blocklisting methods are proving ineffective against trusted cloud collaboration platforms. Organizations must take proactive steps to mitigate the risks associated with GitHub and GitLab-based threats.
About Author
English