Sunday, June 15, 2025
HomePassword AttacksHackers Abuse GitHub Service to Host Variety of Phishing Kits to Steal...

Hackers Abuse GitHub Service to Host Variety of Phishing Kits to Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

Hackers abuse popular code repositories service such as GitHub to host a variety of phishing domains to make their targets to believe it is through github.io domains.

By using well-known services like Dropbox, Google Drive, Paypal, eBay, and Facebook, attackers able to bypass whitelists and network defenses.

Proofpoint identified a range of malicious activities that target users from various organizations. Here is the Example of a phishing kit hosted on GitHub service that lures the login credentials of a retail bank.

- Advertisement - Google News
GitHub service

Threat actors use github.io based landing pages to make the victims believe it is from the trusted source and to bypass traditional security solutions. The Phishing page uses the stolen brand logo and the graphics.

“In most cases of GitHub abuse described here, threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing”, reads Proofpoint blog post.

app-l0gin- [.] github [.] io

Source code analysis reveals that the HTML script is slightly obfuscated and the lured credentials are sent to another compromised server that owned by attackers. Attackers use public GitHub landing page with PHP script loaded from remote servers.

GitHub service

Some threat actors use github.io domain only as a traffic redirector, “we were able to observe when actors made changes to their hosted web pages and most kits are not written from scratch and are instead simply modified by different actors.”

Proofpoint reported the abuse to GitHub and all the phishing accounts has been taken down by GitHub.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Gentoo Linux GitHub Account Hacked, Attackers Modified Repositories

Hacker disclosed GitHub secret key hunter – TruffleHog

GitHub Announces Unlimited Private Repositories For Free Plan

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Developers Beware – Sophisticated Phishing Scams Exploit GitHub Device Code Flow to Hijack Tokens

A sophisticated and increasing wave of cyberattacks now targets software developers through a little-known...

AitM Phishing Attacks on Microsoft 365 and Google Aimed at Stealing Login Credentials

A dramatic escalation in phishing attacks leveraging Adversary-in-the-Middle (AiTM) techniques has swept across organizations...

New SharePoint Phishing Campaigns Employing Deceptive Lick Techniques

Security analysts at CyberProof’s Security Operations Center (SOC) have identified a sharp rise in...