GitHub is a platform that is frequently exploited by cybercriminals and advanced persistent threats (APTs) for various malicious activities [4]. This includes delivering malicious payloads [1] [2] [3] [5], acting as command and control points, and exfiltrating data [2] [4] [5]. Threat actors are attracted to GitHub because it allows them to blend in with legitimate network traffic, making it difficult for defenders to detect and attribute their actions.


GitHub’s services are popular among threat actors for hosting and delivering malicious payloads [3] [5], acting as command and control points, and exfiltrating data [2] [4] [5]. This abuse of GitHub [1] [3] [5], known as “living off trusted sites” (LOTS), enables adversaries to bypass traditional security defenses. One method of abuse is using GitHub features for command and control obfuscation [5]. GitHub is also utilized as a dead drop resolver [5], where information from an actor-controlled repository is used to obtain the actual command and control URL [5]. While full-fledged command and control implementations on GitHub are rare [1] [3], the use of GitHub as a dead drop resolver is more prevalent [1] [3]. Data exfiltration through GitHub is less common due to file size and storage limitations [3] [5]. Additionally, GitHub is used for infrastructure-related purposes such as phishing hosting and traffic redirection [1]. The abuse of legitimate internet services by threat actors is a broader trend [5], including other source code and version control platforms [5].

Detecting GitHub abuse requires a combination of detection methods tailored to specific environments and factors such as log availability [1] [3] [5], organizational structure [1] [3] [5], service usage patterns [1] [5], and risk tolerance [1] [3] [5]. GitHub has dedicated teams responsible for removing content that violates its acceptable use policies [2], utilizing manual reviews and machine learning-based detections [2]. The top illicit uses of GitHub include delivering malicious payloads [2], functioning as a dead drop resolver [1] [2] [3], serving as a command and control network, and exfiltrating data [2] [4] [5]. Raw GitHub is currently the most abused service on the platform [2]. Attackers who use legitimate cloud services like GitHub can quickly and easily scale their attacks, hide their tracks [2], and avoid detection [2].


The abuse of GitHub by threat actors has significant impacts on cybersecurity. It allows them to evade detection and bypass traditional security defenses. To mitigate this abuse, GitHub users should restrict access to specific parts of the organization [2], protect access credentials [2], monitor proxy and audit logs [2], and conduct proactive threat hunting [2]. The trend of threat actors abusing legitimate internet services, including GitHub [5], highlights the need for ongoing vigilance and adaptation in cybersecurity measures.