Threat perpetrators are utilizing accessible GitHub repositories to store harmful payloads and disseminate them through Amadey during a campaign noted in April 2025.
“The MaaS [malware-as-a-service] providers employed counterfeit GitHub accounts to host payloads, tools, and Amadey extensions, presumably to evade web filtering and enhance user convenience,” stated Cisco Talos analysts Chris Neal and Craig Jackson.