GitHub’s ubiquity in information technology (IT) environments makes it a lucrative option for threat actors to host and deliver malicious payloads and serve as a dead center resolver, command and control, and data exfiltration point.
Recorded Future said in a report shared with The Hacker News: “Using GitHub services for malicious infrastructure allows adversaries to blend into legitimate network traffic, often bypassing traditional security defenses and allowing upstream infrastructure to track and attack attackers. Attribution becomes more difficult.”
Cybersecurity firms describe this approach as “off-the-land trusted sites” (LOTS), an extension of the living-off-the-land (LotL) technique often employed by threat actors to hide rogue activity and fly under the radar.
The most prominent way GitHub has been abused relates to payload delivery, with some attackers exploiting its capabilities for command and control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on secret nuggets hosted on GitHub to receive malicious commands on compromised hosts.
While full-fledged C2 implementations in GitHub are less common than other infrastructure options, threat actors use it as a dead center resolver (where information from actor-controlled GitHub repositories is used to obtain the actual C2 URL ) are much more common, as evidenced by cases of malware such as Drokbk and ShellBox.
Also rarely observed is the misuse of GitHub for data exfiltration, which according to Recorded Future may be due to file size and storage limitations as well as concerns about discoverability.
In addition to these four main scenarios, the platform’s products are used in various other ways to serve infrastructure-related purposes. For example, GitHub Pages has been used as a phishing host or traffic redirector, and some campaigns have utilized GitHub repositories as backup C2 channels.
This development reflects a broader trend of legitimate web services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello and Discord being exploited by threat actors. This also includes other source code and version control platforms such as GitLab, BitBucket and Codeberg.
“There is no one-size-fits-all solution for GitHub abuse detection,” the company said. “Detection strategies require a mix of usage and are influenced by specific circumstances and factors such as log availability, organizational structure, service usage patterns and risk tolerance, etc.”
