GitHub itself is a legitimate, secure platform used by millions of developers. However, its very strengths—open sharing, easy cloning, automated updates via git pull , and reputation as a “safe” source—make it an ideal vector for spreading malicious code.

Actors create repositories with names similar to high-profile tools (e.g., mimicry of official Microsoft repositories) and use professional-looking README files to build unearned trust.

The attacker isn’t breaking in. They’re being invited in—by a developer who typed git clone and hit Enter.