Threat Actors Exploit GitHub and GitLab for Phishing and Malware Delivery – 2025 Surge
What Happened – Threat actors are increasingly abusing public code‑hosting platforms GitHub (95 % of abuse) and GitLab (5 %) to host credential‑phishing pages and malware payloads. 2025 alone accounted for ≈ 45 % of all observed campaigns, with 58 % delivering phishing and 42 % delivering malware, often in hybrid attacks.
Why It Matters for TPRM –
- Legitimate development platforms cannot be fully block‑listed, creating a blind spot for email security gateways.
- Phishing links that resolve to trusted domains bypass many URL‑reputation filters, raising the risk of credential compromise across all partner ecosystems.
- Hybrid campaigns can simultaneously harvest credentials and install malware, amplifying downstream supply‑chain impact.
Who Is Affected – Software development firms, SaaS providers, MSPs, and any organization that integrates third‑party code from GitHub/GitLab into its CI/CD pipeline.
Recommended Actions –
- Review vendor contracts for clauses covering abuse of third‑party code repositories.
- Enforce strict URL‑allow‑list policies and add GitHub/GitLab sub‑path monitoring to email security solutions.
- Deploy content‑inspection proxies that can scan files retrieved from these repositories for malicious code or phishing pages.
Technical Notes – Abuse leverages trusted domain reputation; attackers host malicious HTML, JavaScript, or executable binaries in public repos, then distribute short URLs in phishing emails. No specific CVE; the vector is “phishing via legitimate cloud‑hosted code platforms.” Source: Cofense Intelligence