Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.
“The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use,” Cisco Talos researchers Chris Neal and Craig Jackson
Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters
