The Growing Abuse of GitHub and GitLab in Phishing Campaigns

This Cofense Intelligence report analyzes the growing abuse of Git repository hosting (GitHub and GitLab) by threat actors to distribute malware (notably Remcos, DcRAT and other RATs/stealers) and host credential-phishing pages via GitHub/GitLab Pages and raw file downloads; it highlights trends (45% of observed campaigns in 2025), common TTPs (raw.githubusercontent downloads, github.io/gitlab.io pages, password-protected archives, user-agent detection and redirects), and the operational impact of trusted domains bypassing email/security controls.