DevOps teams face a brutal new reality. Cyber incidents hit platforms like GitHub, GitLab, Azure DevOps, and Jira 607 times in 2025—a 21% jump from 502 the year before. Downtime? Nearly doubled to 9,255 hours. That’s over $740,000 in lost engineering time, per GitProtect’s DevOps.com report on the firm’s DevOps Threats Unwrapped Report 2026.
Attackers aren’t just knocking. They’re inside, weaponizing the tools developers trust. GitHub saw incidents climb 58% in H1 2025 alone, from 69 to 109 cases. GitLab clocked 59 disruptions totaling 1,346 hours. Jira racked up 2,390 hours—almost 100 days—of outages. Azure DevOps endured a 159-hour global meltdown in January.
Daria Kulikova, head of GitProtect Lab, nails it: “It was a year when trusted development platforms, automation pipelines, and cloud identities became a playground for cyber criminals. Attackers leveraged platforms such as GitHub, GitLab, Atlassian, and Microsoft as part of their malware campaigns—they used trusted DevOps platforms as malware distribution channels, command-and-control infrastructure, and credential harvesting pipelines.”
Short. Sharp. Alarming.
And the hits kept coming into 2026. Aqua Security’s Trivy scanner fell to a supply chain compromise in March. Threat actors pushed malicious versions—v0.69.4, even v0.69.5 and 0.69.6—via GitHub, exposing 33,000 secrets across 7,000 machines. As detailed in Aqua Security’s GitHub discussion and Elastic Security Labs, attackers exploited stale tokens post-rotation, turning CI/CD into a malware vector. HackerBot-Claw scanned public repos for weak GitHub Actions configs, blending branch name injections, poisoned Go inits, and AI prompt hacks.
Platforms Cracking Under Pressure
GitHub led the pack with 33% of H1 2025 incidents. Actions workflows failed spectacularly in May—a 5-hour backend caching glitch delayed 20% of Ubuntu runner jobs. April? 330 hours of chaos. Malware like Amadey, AsyncRAT, and Neptune RAT spread via the platform, per GitProtect’s mid-year report.
GitLab patched 65 vulns in H1, down slightly from 70, but suffered Europcar’s breach. Attackers snagged Android/iOS source code and data on 200,000 customers. One outage? Four hours of 503 errors from database saturation.
Azure DevOps pipelines crumbled 31 times. Boards, repos, test plans—all hit. That January saga blocked builds worldwide, with Europe bearing 34% of the pain.
Jira’s ecosystem—Service Management, Work Management—saw ransomware from Hellcat. Targets: Telefónica, Jaguar Land Rover, LeoVegas. Free-tier users in Singapore and California waited 120 minutes per outage during prolonged maintenance.
Bitbucket added 22 incidents, 168 hours down, including a 3-hour-47-minute global API wipeout.
High-severity events? Up 69% to 156, burning 1,750+ hours. Vulnerabilities patched: 236 total, 14 critical. Second half of 2025 saw 30% more fixes.
But wait. Outages only tell half the story.
Attackers Hijack the Build Pipeline
Criminals love OAuth tokens. Long-lived PATs. MFA bypass kits. Campaigns like Shai-Hulud, GhostAction (3,325 secrets stolen), GPUGate, GitVenom abused automation to pilfer creds and poison packages. PyStoreRAT, Lumma Stealer, SmartLoader flowed through fake libs. AI-generated repos lurked for recon.
Kulikova again: “Identity was another attack direction. Hackers abused OAuth flows, long-lived Personal Access Tokens (PATs), and MFA-bypassing phishing kits to bypass defenses on Microsoft 365, GitHub, and collaboration tools at scale.”
Tech and telecom sectors bled most. Crimson Collective hit Red Hat, Nissan. Hellcat prowled Jira.
Recent echoes amplify the threat. GitGuardian tracked Shai-Hulud 2 harvesting developer machine secrets—59% on CI/CD runners. LiteLLM packages scooped SSH keys, API tokens. Self-hosted GitLabs and Docker registries leaked 80,000 creds, 10,000 live.
Greg Bak, GitProtect’s head of product enablement, warns in DevOps.com: “We are witnessing a clear upward trend in outages and disruptions across DevOps platforms, but also in the frequency and sophistication of ransomware attacks and source code thefts, demonstrating that traditional perimeter security is no longer sufficient.”
Pipeline abuse scales fast. Compromise one runner, infect thousands. Trivy’s fallout proves it—tokens lingered weeks, fueling downstream chaos.
Teams pay now or later. 62% of outages from degraded performance. Maintenance ate 30% of time despite just 4% of events.
Fight back? GitProtect pushes resilience: zero-trust AI, least-privilege tokens, credential rotation, phishing-resistant MFA, multi-service redundancy, behavioral detection. Bak adds: “Anticipating failures before they happen, paired with self-healing infrastructure and recovery strategies that go beyond just technology, will redefine how organizations safeguard uptime, data integrity and business continuity.”
Pin actions to SHAs. Rotate secrets atomically. Mirror repos. Run post-mortems.
The surge won’t stop. 2025’s 40% raw incident rise across core platforms—from 364 to 607—signals worse ahead. DevOps isn’t optional secure. It’s survival.
WebProNews is an iEntry Publication