Criminal groups allegedly used the service to hide their identities and online infrastructure.
The company has also patched a critical remote execution flaw, which has no signs of active exploitation.
The company said that its current investigation indicates the attackers accessed only GitHubu2019s internal repositories.
Webworm has shifted from the McRat and Trochilus remote access trojans to lightweight proxy infrastructure and cloud-based C&C mechanisms.
The intrusion chain involved attackers delivering a legitimate executable, a matching .config file, and a malicious DLL designed for sideloading into the trusted process.
The service abused Microsoft Artifact Signing to generate short-term certificates that allowed malware to appear as legitimate software.
The updated malware targets macOS users via fake installers for popular applications including WeChat and Miro.
