Redazione RHC : 31 August 2025 10:21
By hosting fake projects on popular development platforms (GitHub and GitLab), attackers trick users into running malicious payloads that pull add-ons from a hacker-controlled repository. As a result, remote access Trojans and spyware are downloaded to victims’ devices.
Analysts at Positive Technologies have presented a report on cyber threats for the first half of 2025. According to their data, the main method of successfully attacking organizations remains malware: it was used in 63% of cases.
At the same time, the share of malware distribution via websites reached 13%—almost double the figure for the same period in 2024. According to researchers, the record number of such attacks in three years is due to the growing popularity of developer-targeting strategies. By compromising open repositories and typosquatting, criminals infiltrate supply chains.
For example, in Russia, Brazil, and Turkey, a malicious campaign disguised as hundreds of open-source projects has targeted cryptocurrency players and investors, downloading an infostealer onto their devices that steals crypto wallet addresses, personal data, and banking information.
Meanwhile, at least 233 victims in the United States, Europe, and Asia have been affected by a campaign by the North Korean Lazarus group, which implanted a JavaScript program into developers’ systems designed to collect information about system.
“APT groups’ tactics are evolving from mass phishing to targeted attacks on developers. Their new target is the supply chains of various technologies. By introducing malware into development processes, attackers strike a double blow: they hit not only the victim themselves, but also the projects they are associated with. We expect this trend to gain momentum: attacks on IT companies and developers with the aim of weakening supply chains will occur more frequently,” comments Anastasia Osipova, junior analyst at the Positive Technologies research group.
The report also notes that since the beginning of the year, attackers have actively used typosquatting techniques in open source ecosystems, by exploiting user errors when entering package names.
For example, experts had previously identified a malicious campaign in the PyPI repository that targeted developers, ML specialists, and enthusiasts interested in integrating DeepSeek into their systems. The malicious packages deepseeek and deepseekai could collect data about the user and their computer, as well as steal environment variables.
Redazione