Recent cybersecurity intelligence has uncovered a significant trend: threat actors are now exploiting public GitHub repositories to host and disseminate the Amadey malware and various data-stealing tools. By leveraging the reputation and widespread access policies of GitHub, these attackers are successfully bypassing traditional web filters and security protocols in organizational networks.
Attack Techniques
Hackers establish fake or disposable GitHub accounts to act as open directories for malicious payloads, effectively using GitHub’s hosting capabilities as distribution channels for malware. Among the key mechanisms is the deployment of Amadey, a modular Malware-as-a-Service (MaaS) loader. Amadey collects system intelligence, enables the download of additional payloads, and can be extended with plugins for credential theft or screenshot capture.
Malware is frequently distributed through a chained approach. Other loaders—such as Emmental (also known as PEAKLIGHT)—are initially used to compromise a target. These then fetch Amadey or associated malware, such as Lumma Stealer, Redline, or SmokeLoader, directly from the attacker-controlled repositories on GitHub.
Bypassing Security Filters
GitHub is typically trusted and widely permitted in corporate environments, making it an ideal platform for attackers. Downloads from its repositories often go unnoticed, as traffic appears legitimate and is difficult to separate from normal development workflow. Security appliances and filters are less likely to flag or block these downloads, allowing hackers to evade detection easily.
Campaign Characteristics
Some observed malicious accounts, such as one labeled “Legendary99999,” have contained over 160 repositories. Each repository has hosted a single malware sample in its Releases section, providing effortless download for compromised machines. Attackers can rapidly update or rotate the hosted payloads, enabling flexible targeting and continuous operation.
These campaigns can deliver an array of malware families once access is achieved: data stealers, remote access trojans (RATs), and ransomware can all be spread by simply changing the files stored in these repositories. While initial campaigns have sometimes focused on specific regions, such as Ukraine, this GitHub-based tactic scales globally.
Why GitHub is Targeted
GitHub’s recognition as a trusted development platform means its domains are whitelisted in many enterprise environments. Attackers take advantage of this reputation, knowing organizations are hesitant to block GitHub due to its legitimate business use. Additionally, separating harmful downloads from benign developer activity presents a significant challenge for security teams, further aiding the attackers’ strategy.
Notable Malware Families Observed
| Malware/Stealer Name | Description |
|---|---|
| Amadey | Modular loader; collects system information and deploys additional payloads. |
| Lumma Stealer | Targets credentials, wallets, and system data. |
| RedLine | Infostealer focused on credentials and crypto wallets. |
| SmokeLoader | Downloader for spreading various malware. |
| AsyncRAT | Remote Access Trojan used for persistence and surveillance. |
Examples and Operational Approaches
A notable example involved the “Legendary99999” account, which managed and distributed hundreds of malicious payloads through public repositories. Attackers could seamlessly swap or update payloads, increasing their adaptability. Organizations’ reluctance to restrict GitHub access, fearing disruption to workflow, is a vulnerability being actively targeted.
Mitigation Strategies
Organizations are advised to impose stricter access controls, limiting GitHub access for non-essential personnel. Deploying advanced monitoring solutions that analyze repository interactions is critical to detect malicious downloads. Employee training—especially around phishing and recognizing unauthorized links—remains an essential defense. Coordinating with GitHub for rapid removal of reported malicious repositories also helps stem the spread of these campaigns.
