News
GitHub Abuse Emerges in Twin Social Engineering Campaigns Spotted by Fortra, Trend Micro
Security researchers are tracking two separate GitHub-related threat campaigns that use the platform's infrastructure in different ways -- one to deliver vishing lures through legitimate GitHub notifications, and another to push Windows users toward malware-infected downloads hosted through deceptive GitHub Pages and repositories.
The primary campaign, disclosed Monday by Fortra's Fortra Intelligence and Research Experts team, centers on abuse of GitHub's email notification system. According to the report, attackers placed phony billing and support messages inside commit comments tied to otherwise empty repositories and profiles, causing GitHub to generate legitimate notification e mails that appeared to come from [email protected]. Those messages impersonated brands such as PayPal, Norton, Geek Squad and McAfee and urged recipients to call fake support numbers.
"While abuse of GitHub's legitimate email notification system has been observed before, this is the first time Fortra has seen it used for vishing attacks by including the malicious content in the commit messages of otherwise empty GitHub profiles and repositories," the company wrote. It added that "vishing content represented around 20% of malicious emails submitted to us for analysis in 2025."
Fortra said the e-mails didn't simply move from GitHub to the victim. Instead, attackers first registered GitHub notifications to Google or Fastmail accounts, then forwarded those messages through Microsoft 365 before they reached final recipients. That extra routing step, the company said, helped obscure the real destination list and improved the likelihood that the messages would pass inspection.
"Routing through Microsoft is a tactic employed to bypass email filters by ensuring the source is trusted and authentication checks do not fail," Fortra wrote. The researchers said the campaign's true scale is difficult to measure because forwarding can hide final recipient addresses from message headers. One account examined by the firm had 44 repositories and 133 commits at the time of analysis.
A second report from Trend Micro, published March 5, described a wider malware campaign built around fake GitHub repositories and misleading GitHub Pages sites. In that operation, users looking for free software tools were led to public repositories packed with search terms meant to push them higher in search results. Those repositories then directed users to GitHub Pages download sites hosting ZIP files that delivered a newly identified information stealer called BoryptGrab, along with other malware, including a reverse SSH backdoor Trend Micro identified as TunnesshClient.
Trend Micro said BoryptGrab is built to steal browser data, cryptocurrency wallet details, system information, screenshots, common files, Telegram data, Discord tokens and passwords. Researchers said they linked the activity to more than 100 public GitHub repositories, with some posed as gaming cheats or utility downloads, while others faked legitimate software tools. In one case, a fraudulent Voicemod Pro repository appeared just below the real result in Google search.
"The campaign's reliance on SEO-optimized GitHub repositories and fake 'free tool' download sites underscores an important trend: threat actors increasingly exploit trust in legitimate developer platforms and open-source ecosystems," saidTrend Micro.
For enterprise defenders, the reports highlight a continued challenge: legitimate services can be used to deliver malicious content. Fortra said that "legitimate service abuse and sophisticated email routing methods complicate the detection of phishing content," while Trend Micro found that users could also be led to malicious repositories through search results and download pages that appeared routine.