By posting fake projects on popular developer platforms (GitHub and GitLab), attackers trick users into executing malicious payloads that fetch additional components from a hacker-controlled repository. As a result, remote access trojans and spyware are downloaded onto victims’ devices.
Analysts at Positive Technologies have published a report on cyberthreats for the first half of 2025. According to their data, malware remains the primary method of successful attacks on organizations: it was used in 63% of cases.
At the same time, the share of malware distribution via websites reached 13%—almost twice as much as in the same period of 2024. According to the researchers, the highest number of such attacks in three years is driven by the growing popularity of schemes targeting developers. By compromising public repositories and using typosquatting, attackers infiltrate supply chains.
For example, in Russia, Brazil, and Turkey, gamers and cryptocurrency investors fell victim to a malicious campaign disguised as hundreds of open-source projects. An infostealer was downloaded to their devices, stealing cryptocurrency wallet addresses along with personal and banking data.
Meanwhile, in the US, Europe, and Asia, at least 233 victims were affected by a campaign by the North Korean Lazarus group: it deployed a JavaScript implant into developers’ systems to collect system information.
“The tactics of APT groups are evolving: they are moving from mass phishing to targeted attacks on developers. Their new target is technology supply chains. By implanting malware into development processes, attackers deliver a double blow: they compromise not only the immediate victim but also the projects it is connected to. We expect this trend to gather pace: attacks on IT companies and developers aimed at undermining supply chains will become more frequent,” comments Anastasia Osipova, junior analyst with the Positive Technologies research team.
The report also notes that since the start of this year, attackers have been actively using the technique of typosquatting in open-source ecosystems, counting on user errors when entering package names.
For example, earlier researchers identified a malicious campaign in the PyPI repository targeting developers, machine learning specialists, and enthusiasts interested in integrating DeepSeek into their systems. The malicious packages deepseeek and deepseekai could collect data about the user and their computer, as well as steal environment variables.
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →