By posting fake projects on popular developer platforms (GitHub and GitLab), attackers trick users into executing malicious payloads that fetch additional components from a hacker-controlled repository. As a result, remote access trojans and spyware are downloaded onto victims’ devices.
Analysts at Positive Technologies have published a report on cyberthreats for the first half of 2025. According to their data, malware remains the primary method of successful attacks on organizations: it was used in 63% of cases.
At the same time, the share of malware distribution via websites reached 13%—almost twice as much as in the same period of 2024. According to the researchers, the highest number of such attacks in three years is driven by the growing popularity of schemes targeting developers. By compromising public repositories and using typosquatting, attackers infiltrate supply chains.
For example, in Russia, Brazil, and Turkey, gamers and cryptocurrency investors fell victim to a malicious campaign disguised as hundreds of open-source projects. An infostealer was downloaded to their devices, stealing cryptocurrency wallet addresses along with personal and banking data.
Meanwhile, in the US, Europe, and Asia, at least 233 victims were affected by a campaign by the North Korean Lazarus group: it deployed a JavaScript implant into developers’ systems to collect system information.
“The tactics of APT groups are evolving: they are moving from mass phishing to targeted attacks on developers. Their new target is technology supply chains. By implanting malware into development processes, attackers deliver a double blow: they compromise not only the immediate victim but also the projects it is connected to. We expect this trend to gather pace: attacks on IT companies and developers aimed at undermining supply chains will become more frequent,” comments Anastasia Osipova, junior analyst with the Positive Technologies research team.
The report also notes that since the start of this year, attackers have been actively using the technique of typosquatting in open-source ecosystems, counting on user errors when entering package names.
For example, earlier researchers identified a malicious campaign in the PyPI repository targeting developers, machine learning specialists, and enthusiasts interested in integrating DeepSeek into their systems. The malicious packages deepseeek and deepseekai could collect data about the user and their computer, as well as steal environment variables.