Software developers, CI/CD pipelines, and the tools they rely on are increasingly becoming attractive targets for threat groups. The number of cyberattacks on code repositories like npm and GitHub continues to mount as threat actors push their supply chain attacks.
Compromising open source packages, fake development tools, and social engineering are among the tactics bad actors use against developers. Researchers with Kaspersky Lab this month wrote that a combination of programmers’ unfounded belief that they are good at spotting threats and jobs that require them to often download and run third-party code “makes them sitting ducks for cyberattackers.”
GitProtect.io analyst this week detailed the mounting and evolving threats facing developers and their operations. In its DevOps Threats Unwrapped Report 2026, the DevOps backup and recovery specialists found that the number of incidents targeting DevOps environments in 2025 grew 21% year-over-year, and that the number of hours of impacted performance those incidents caused doubled to 9,255, costing more than $740,000 in lost engineering productivity.
The numbers in the report are based on publicly available information published by vendors on their status pages, security advisories, databases, and publicly reported incidents, according to GitProtect.
‘A Playground for Cyber Criminals’
“What could we remember 2025 for when it comes to DevOps threats?” Daria Kulikova, head of GitProtect Lab, wrote in the report. “It was a year when trusted development platforms, automation pipelines, and cloud identities became a playground for cyber criminals. Attackers leveraged platforms such as GitHub, GitLab, Atlassian, and Microsoft as part of their malware campaigns – they used trusted DevOps platforms as malware distribution channels, command-and-control infrastructure, and credential harvesting pipelines.”
Kulikova pointed to how various campaigns – such as Shai-Hulud, GhostAction, GPUGate, and GitVenom – abused automation and stole tokens to compromise repositories, listed a range of malware families like PyStoreRAT, SmartLoader, Lumma Stealer, and AsyncRAT that were distributed through fake libraries, poisoned packages, and other means, and noted that AI-generated repositories and dormant accounts were used for credential theft and covert reconnaissance.
“However, attackers werenʼt only limited to distributing the code on DevOps platforms,” she wrote. “Identity was another attack direction. Hackers abused OAuth flows, long-lived Personal Access Tokens (PATs), and MFA-bypassing phishing kits to bypass defenses on Microsoft 365, GitHub, and collaboration tools at scale.”
By the Numbers
The numbers in the report illustrate the turn bad actors are taking toward developers. In 2024, GitHub, GitLab, Azure DevOps and Jira saw a total of 364 incidents, and that number jumped last year to 607, about a 40% rise. Among those incidents, 156 were critical or major events that consumed more than 1,750 hours of downtime, a 69% increase in high-severity disruptions from 2024, when there were only 48 such cases.
The need to patch software vulnerabilities also grew throughout 2025, according to the report. In all, vendors reported 236 security flaws that were patched across DevOps services, with 14 deemed critical, with a CVSS severity score of 9.0 or higher, and another 126 given high-severity ratings.
In addition, there was a 30% increase in patched vulnerabilities between the first and second halves of the year, Kulikova wrote.
Downtime Increases
The downtime caused by the growing number and severity of incidents was significant, according to the analysts. While the while there was the 21% increase in the number of incidents – from 502 in 2024 to 607 last year – and total downtime jumped almost 95%, from 4,755 hours to 9,225. The frequency of the disruptions didn’t just grow, but became more difficult to resolve, they wrote.
About 62% of the outages of DevOps platforms were driven by the degraded performance caused by attacks, according to GitProtect’s numbers. That said, they accounted for only 34% of the total downtime. Maintenance that needed to be done following incidents – which made up only 4% of the total number of outages – consumed 30% of the lost time, showing that planned and unplanned maintenance was the primary reasons for platforms not being available.
Some Things Stay the Same
There are some areas that didn’t change much year-to-year, according to the report. The technology and software sectors were still the most targeted, with others like telecommunications, automotive, and education also in the crosshairs, and ransomware and extortion groups, such as Hellcat and Crimson Collective, were behind a large number of data breaches, which targeted high-profile companies like Red Hat, Nissan, and Europcar.
“As attackers blend trusted platforms, hardware-aware evasion, malicious AI-generated code, and phishing-as-a-service into their arsenals, the 2025 threat landscape makes one thing clear: traditional perimeter defenses and reactive monitoring are no longer enough,” Kulikova wrote. “Organizations need to ensure the resilience of their environment.”