GitHub Users Targeted with Dangerous Malware Attacks - Here's What We Know

GitHub users targeted with dangerous malware attacks - here's what we know

GitHub is being abused to host Emmenthal, SmokeLoader, Amadey, and others, experts warn.

GitHub's Security Crisis 39M Secret Leaks, Amadey MaaS Campaign Exploiting Repository Trust, and Supply Chain Attack Vectors

GitHub's Security Crisis 39M Secret Leaks, Amadey MaaS Campaign Exploiting Repository Trust, and Supply Chain Attack Vectors

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine

Hackers abused fake GitHub accounts to spread Emmenhtal, Amadey, Lumma and Redline infoStealers in attacks linked to a phishing campaign targeting Ukraine in early 2025.

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.  Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities. The same…