Positive Technologies: Attacks via GitHub and GitLab Reach Record Levels
By posting fake projects on popular developer platforms like GitHub and GitLab, attackers are increasingly tricking users into executing malicious payloads. These payloads download additional components from hacker-controlled repositories, ultimately installing remote access trojans (RATs) and spyware on victims’ devices.
Malware Dominates Cyberattacks
Analysts from Positive Technologies have released a cyber threat report for the first half of 2025. According to the data, malware remains the leading attack vector, used in 63% of successful incidents.
The share of malware distributed through websites rose to 13%, nearly double the level observed during the same period in 2024. Researchers attribute this record-high figure—the largest in the past three years—to the growing popularity of schemes targeting developers. By compromising open repositories and exploiting typosquatting, attackers are successfully infiltrating software supply chains.
Campaigns Worldwide
- Russia, Brazil, Turkey: Gamers and cryptocurrency investors were lured by hundreds of fake open-source projects. The downloads delivered an info-stealer designed to collect cryptocurrency wallet addresses along with personal and banking data.
- U.S., Europe, Asia: At least 233 victims were hit in a campaign linked to North Korea’s Lazarus Group, which deployed a JavaScript implant to gather system information from developers.
“The tactics of APT groups are evolving: they are moving from mass phishing to targeted attacks on developers,” said Anastasia Osipova, Junior Analyst at Positive Technologies. “Their new target is the supply chains of various technologies. By embedding malware into development processes, attackers deal a double blow: they compromise not only the victim itself but also the projects it is associated with. We predict this trend will gain momentum: attacks on IT companies and developers aimed at undermining supply chains will occur more frequently.”
Typosquatting on the Rise
The report highlights a surge in the use of typosquatting techniques within open-source ecosystems, where attackers upload malicious packages with names resembling legitimate ones, exploiting simple user errors.
One example was uncovered in the PyPI repository, where attackers targeted developers, machine learning specialists, and enthusiasts experimenting with DeepSeek integration. Malicious packages named deepseeek and deepseekai harvested user and system data, including environment variables.
