AI-assisted attacks, software supply-chain compromise, identity abuse, platform outages and large-scale enterprise breaches reshaped the DevOps threat landscape in 2025. ITSEC's deep analysis of the GitProtect 2026 report — through a UAE regulatory and operational lens — sets out the ten controls every Emirates-based security leader must internalise for 2026.
2025 was the year the perimeter quietly disappeared. Attackers stopped knocking on the firewall and walked in through the build pipeline, the IDE, the OAuth consent screen, and the AI coding assistant. For UAE enterprises operating under VARA, DFSA, SCA, ADGM, CBUAE and DHA mandates, the threat landscape mapped out in GitProtect's 2026 DevOps Threats Unwrapped Report is not a foreign forecast — it is a direct operational warning. This is ITSEC's reading of what the data means for security leaders building, regulating and defending technology in the Emirates.
Strip away the narrative and the 2025 figures speak for themselves. Across GitHub, GitLab, Azure DevOps, Atlassian's Jira and Bitbucket, a combined 607 incidents were logged on public status pages — roughly a forty percent rise on 2024. Of those, 156 were classified as critical or major, consuming over 1,750 hours of high-severity downtime. That is a sixty-nine percent year-on-year jump in the disruptions that actually halt deployment, freeze release trains and lock CI/CD pipelines while customer-facing services degrade.
Vulnerability output matched the curve. Vendors patched 236 DevOps platform vulnerabilities over the year. Fourteen carried CVSS scores of 9.0 or higher, and a further 126 were rated high severity. The second half of the year saw thirty percent more patches than the first, and Q4 alone accounted for thirty-four percent of the annual total. The volume is climbing, the severity is climbing, and the window between disclosure and weaponisation is shrinking.
On top of that, dedicated threat campaigns — GhostAction, Shai-Hulud, the nx supply-chain breach, GPUGate, GitVenom, PyStoreRAT, and the IDEsaster cluster targeting AI coding assistants — demonstrated how a single stolen token, one malicious workflow or one prompt injection can cascade through thousands of repositories before defenders have finished morning coffee. Familiar malware families resurfaced in unfamiliar wrappers: Lumma Stealer, RedLine, Amadey, AsyncRAT, DCRat, Venom RAT and ZeroCrumb all rode trusted dev platforms into corporate networks during 2025.
The takeaway for any UAE board reviewing 2026 cyber risk: DevOps environments are no longer the IT plumbing security teams can deprioritise. They are the primary attack surface, the regulatory exposure surface, and increasingly the legal liability surface.
If 2024 was the year UAE enterprises adopted GitHub Copilot, GitLab Duo and Atlassian Rovo at scale, 2025 was the year attackers worked out how to weaponise them. GitProtect's analysts logged sixty-eight AI-related incidents across major DevOps platforms in 2025, with a clear acceleration through the year — ten in Q1, eighteen in Q2, and twenty each in Q3 and Q4.
The most consequential pattern was prompt injection escaping the chatbox and turning into remote code execution. Researchers disclosed a vulnerability class called IDEsaster that affected GitHub Copilot, Cursor, Zed.dev, Roo Code, JetBrains Junie, Gemini CLI and Claude Code. At least twenty-four CVEs were assigned across the cluster. The attack chain was elegant in its simplicity: malicious prompts trick AI agents into modifying configuration files such as .vscode/settings.json or .idea/workspace.xml, after which the agent — operating with the developer's privileges — quietly executes arbitrary commands.
August's CVE-2025-53773 against GitHub Copilot and Visual Studio Code took this further. By exploiting Copilot's ability to modify settings, attackers could activate a so-called "YOLO mode" that removed user confirmation entirely, then push self-spreading payloads through Git repositories, conscripting developer workstations into AI-driven botnets dubbed ZombAIs.
Microsoft 365 Copilot had its own breakout: EchoLeak, tracked as CVE-2025-32711, was a zero-click data-exfiltration flaw scored 9.3. Malicious prompt injections hidden inside ordinary emails were silently absorbed by Copilot's retrieval-augmented context window and exfiltrated through Teams or SharePoint URLs — without a single user action. The same month, Cato Networks demonstrated a "Living off AI" technique that smuggled prompt-injection payloads through Jira Service Management tickets, then used the connected Atlassian Model Context Protocol agent as a confused deputy to extract tenant data while the threat actor stayed entirely external.
Add to this the supply-chain dimension: AWS quietly contained a compromised Amazon Q Developer extension on the VS Code Marketplace in July, after a malicious pull request slipped past review and injected a destructive prompt into roughly a million users' update channel. And December's PyStoreRAT campaign weaponised dormant GitHub accounts to publish polished, AI-generated repositories that masqueraded as security tools and OSINT utilities — built convincingly enough to deceive even researchers actively hunting for malicious code.
The lesson for UAE security teams is uncomfortable but unavoidable: AI agents inside development environments must be treated as untrusted actors by default. Input must be sanitised before it ever reaches a model. Outputs must be sandboxed. Agent capabilities must be scoped tightly, with short-lived credentials, IP-restricted tokens, and mandatory human-in-the-loop review for any privileged action. For VARA-licensed firms running custodial or trading platforms, the calculus is even sharper: an AI assistant with write access to the same repository that touches production wallet logic is a control failure waiting to make headlines.
The supply-chain story of 2025 is the story of how attackers learnt to scale. Where individual malicious packages dominated 2023 and 2024, the dominant pattern in 2025 was the self-propagating worm and the cross-project pivot.
Two campaigns stand out. GhostAction, surfaced in September, compromised the secrets of 327 developers across 817 GitHub repositories. The initial vector was a malicious GitHub Actions workflow injected into the popular FastUUID project; the workflow then silently exfiltrated CI/CD secrets — API keys, npm tokens, PyPI tokens, DockerHub credentials, Cloudflare keys, cloud credentials — to attacker-controlled infrastructure. Roughly 3,300 secrets were leaked before the campaign was contained.
Shai-Hulud went one step further. The worm compromised over forty developer accounts and trojanised more than 180 npm packages in its first wave, climbing past 500 affected packages and 700 malicious versions before the ecosystem caught up. The malware exploited npm post-install scripts to run TruffleHog locally, harvest secrets, and publish them into freshly created public "Shai-Hulud Migration" repositories on GitHub. Then it used stolen npm tokens to trojanise additional packages maintained by each victim — a self-replicating chain reaction across the JavaScript ecosystem. A second wave in December exposed up to 400,000 development secrets across roughly 30,000 GitHub repositories.
The August nx supply-chain breach followed the same blueprint. A vulnerable GitHub Actions workflow allowed command injection via a crafted pull request title, which leaked an npm publishing token. That token was used to release tainted nx versions whose post-install scripts scanned filesystems, harvested credentials, modified shell configuration files, and — uniquely — abused installed AI developer tools to automate reconnaissance.
March brought the tj-actions/changed-files compromise, which traced back to a personal access token stolen from a SpotBugs maintainer in late November 2024. The attackers exploited a vulnerable pull_request_target workflow, leaked the maintainer's PAT, pivoted laterally into the reviewdog ecosystem, and poisoned the reviewdog/action-setup dependency. That tainted dependency flowed into tj-actions/changed-files, which was used by over 23,000 public and private repositories. By the time Coinbase, the original target, detected the activity, the same technique had infected hundreds of downstream projects.
April's CodeQLEAKED incident (CVE-2025-24362) showed that even GitHub's own infrastructure was not immune: a GitHub App installation token with full write permissions was inadvertently stored inside a workflow artefact for just over one second — long enough for a race-condition exploit to extract it and theoretically push malicious code into the default CodeQL workflows that run across hundreds of thousands of repositories.
The systemic pattern is now clear. Long-lived tokens, permissive default workflow permissions, mutable Git tags, and implicit trust in well-known npm and PyPI packages are no longer survivable as default configurations. UAE enterprises whose engineering organisations consume open-source dependencies — which is to say, essentially all of them — need to treat their CI/CD pipelines as Tier-0 infrastructure with Tier-0 controls: short-lived OIDC-issued credentials, signed and immutable workflow references (pinned to commit SHA, not tag), SBOM generation for every release, and continuous secret-scanning that runs both pre-commit and post-merge.
If supply-chain attacks were the dominant headline of 2025, secret leaks were the dominant root cause beneath them. GitHub disclosed that its secret-scanning service detected more than 39 million leaked credentials across repositories in 2024 alone. The 2025 follow-on telemetry was no better. A single researcher uncovered over 17,000 exposed secrets across public GitLab Cloud repositories in roughly twenty-four hours of automated TruffleHog scanning — credentials dating back as far as 2009, many still valid, with Google Cloud Platform tokens, MongoDB keys, OpenAI keys and GitLab personal access tokens making up the bulk.
Wiz's research throughout the year painted an even sharper picture for the AI sector: sixty-five percent of leading AI companies had inadvertently leaked secrets in GitHub repositories. The exposed credentials were tied to AI firms collectively valued north of four hundred billion dollars and included tokens granting access to private models, training data, and internal infrastructure. The CrewAI token-exposure incident in November — where an exception response inadvertently returned an internal GitHub admin token during a provisioning failure — reinforced the point: long-lived credentials in automation paths are structurally fragile.
The follow-on attacker behaviour was equally consequential. Wiz separately reported that seventy-three percent of organisations store cloud credentials directly inside GitHub Actions secrets, meaning a compromised personal access token effectively functions as a backstage pass to AWS, Azure and Google Cloud production environments. December's exposure of a Home Depot GitHub token — left valid for more than a year, granting access to hundreds of private repositories tied to cloud infrastructure, inventory and order fulfilment — was the public reminder that the rotation gap is measured in years, not weeks.
Identity attacks closed the loop. Phishing-as-a-Service kits exploded in scale and sophistication. VoidProxy, observed from August onward, used adversary-in-the-middle infrastructure proxied through Cloudflare Workers to intercept Microsoft and Google credentials, MFA codes, and session tokens in real time. Whisper 2FA powered close to a million phishing attempts against Microsoft 365 between July and October. Tycoon 2FA, EvilProxy, Sneaky 2FA and Salty 2FA collectively drove over a million attacks against Microsoft 365 and Google Workspace in just the first two months of 2025. RaccoonO365 — whose alleged developer was arrested in Nigeria in December via a joint operation between Microsoft, the FBI and Nigerian authorities — facilitated the theft of at least five thousand Microsoft credentials across ninety-four countries.
Equally noteworthy were attacks against the assumptions behind identity itself. December's OAuth device-code phishing campaigns targeted Microsoft 365 with messages disguised as document shares, security alerts and salary notifications, tricking victims into entering legitimate device codes on Microsoft's own login pages — and unknowingly issuing the attackers a valid, MFA-protected access token. August's "ADFSjacking" technique abused Microsoft's own Active Directory Federation Services to redirect victims from genuine office.com URLs to attacker-controlled phishing pages, bypassing both user suspicion and traditional URL filters. The same month, attackers ran more than fifty fake Microsoft OAuth applications impersonating RingCentral, SharePoint, Adobe and DocuSign — phishing nearly three thousand accounts across over nine hundred Microsoft 365 tenants, with confirmed success rates above fifty percent.
For UAE enterprises — particularly those subject to VARA's Technology and Information Risk Rule, DFSA's COB Module 8, ADGM's FSRA cyber requirements or CBUAE's Information Security Standard — the practical conclusion is structural. MFA is necessary but no longer sufficient. The 2026 baseline must include phishing-resistant authentication (FIDO2, hardware tokens, certificate-based), Conditional Access policies that restrict OAuth device-code flows, mandatory enterprise-wide app consent governance, behavioural monitoring of authenticated sessions, and continuous rotation of any long-lived credential that touches a build, deploy or cloud-administration path.
Beyond targeted attacks, the operational reliability of the DevOps stack itself deteriorated. Of the 607 incidents recorded across GitHub, GitLab, Azure DevOps, Jira and Bitbucket in 2025, GitLab alone logged sixty-two critical or major events totalling more than 754 hours of impact, with Jira close behind at forty-four incidents and 728 hours. Across the wider cloud ecosystem, the year delivered two reminders that centralisation is now its own systemic risk.
The October 20 AWS outage in us-east-1 — triggered by a latent defect in DynamoDB's automated DNS management — cascaded across compute, storage and dependent SaaS platforms, knocking thousands of services offline globally for several hours. Cloudflare followed with two further incidents in quick succession: one caused by an auto-generated configuration file intended for security management, the second by a Web Application Firewall maintenance change that took down dashboards, APIs and customer sites across regions. Microsoft 365 experienced regional outages in Australia and North America driven by network misconfigurations and authentication imbalances.
For UAE businesses, the resilience implication is not abstract. A trading platform that depends on GitLab for production deployment, Atlassian for incident tracking, Microsoft 365 for human communication and AWS for compute does not have four providers — it has one architecture with four single points of failure. Every UAE enterprise serious about operational resilience in 2026 needs to design explicitly for cloud-concentration risk: multi-region deployments, independent backup communication channels, immutable encrypted backups stored across multiple providers, tested point-in-time recovery, and incident-response playbooks that assume any one of these providers will be unavailable on the day it matters most.
The 236 vulnerabilities patched across the major DevOps platforms in 2025 broke down into fourteen critical, 126 high, seventy-five medium and twenty-one low. Two flaws scored the maximum CVSS 10.0: CVE-2024-38999 in Bitbucket Data Center and Server (remote code execution via a vulnerable third-party dependency) and CVE-2025-66516 in Jira Software Data Center and Server (XML external entity injection via Apache Tika, with paths to information disclosure, server-side request forgery, denial of service and, in some scenarios, remote code execution).
Microsoft's May Patch Tuesday delivered a particularly consequential fix: CVE-2025-29813, a privilege-escalation and authentication-bypass vulnerability in Azure DevOps scored at the absolute CVSS ceiling. GitLab's two critical issues for the year, CVE-2025-25291 and CVE-2025-25292, hit the ruby-saml library used for SAML single sign-on — meaning an attacker holding a single legitimately signed SAML response could impersonate any other user inside the same SAML environment without knowing their credentials. The same flaw also affected GitHub. February brought five additional CVSS 9.8 Apache Tomcat vulnerabilities affecting Confluence and Crowd, each independently capable of remote code execution or authentication bypass.
Three patterns emerge from the patch data. First, the second half of the year was significantly worse than the first — high-severity flaws grew by 123 percent from H1 to H2. Second, third-party dependencies were responsible for a disproportionate share of the highest-severity vulnerabilities, reinforcing that supply-chain hygiene and platform patching are now the same problem. Third, Q4 emerged as the riskiest quarter on record, accounting for thirty-four percent of all patches and the largest concentration of critical issues.
The operational mandate for UAE enterprises is straightforward: patch cycles measured in weeks are no longer competitive, and patch cycles measured in months are negligent. Vulnerability management must be continuous, instrumented, and prioritised against actual exploitability — not just CVSS scores — with documented service-level objectives that survive board scrutiny under VARA, DFSA or CBUAE examination.
Phishing-as-a-Service was the unambiguous growth market of 2025's underground economy. The named platforms — Tycoon 2FA, EvilProxy, Sneaky 2FA, Whisper 2FA, Salty 2FA, VoidProxy, SquarePhish2, Graphish and RaccoonO365 — share a common architecture: reverse-proxy infrastructure intercepting credentials and session cookies in real time, behind Cloudflare-fronted disposable domains, CAPTCHA gates that block automated scanners while allowing real users through, and Telegram-based affiliate channels that turn the kits into franchise operations.
The Tycoon-powered campaign abusing fake Microsoft OAuth apps was particularly instructive. Whether victims accepted or denied the requested permissions, they were redirected to identical phishing pages — meaning user choice had been engineered out of the kill chain. Salty 2FA mutated its infrastructure constantly to defeat static indicators, forcing defenders to detect behaviour rather than known-bad URLs. Whisper 2FA used AJAX-based session interception that never triggered a visible page reload, defeating naïve user training.
Add to this the OAuth device-code abuse already covered, the ADFS-jacking technique that turned Microsoft's own infrastructure into a phishing redirector, the Outlook-resident "Authentic Antics" malware attributed to APT28 that ran inside the Outlook process and exfiltrated stolen OAuth tokens through the victim's own mailbox, and the abuse of Proofpoint and Intermedia link-wrapping services to launder malicious URLs through trusted security platforms — and the conclusion is unambiguous. Identity, not the endpoint, is the front line of 2026.
For UAE security leaders, the actionable shift is to elevate identity controls from a feature of M365 administration to a board-reported security programme: phishing-resistant MFA enforced through Conditional Access, OAuth app governance with allowlists and continuous review of consented applications, mandatory blocking of legacy authentication, geofencing for high-risk operations, and detection rules tuned to anomalous session activity rather than failed-login events alone.
State-aligned threat groups spent 2025 quietly upgrading their playbooks. The North Korean Kimsuky group ran a spearphishing campaign starting in March against South Korean targets that embedded hardcoded GitHub personal access tokens directly inside malware, using attacker-controlled GitHub repositories as command-and-control infrastructure, payload-hosting platforms and exfiltration channels for victim logs uploaded every thirty minutes. Repositories such as "hole_311" and "star," linked to accounts "Dasi274" and "luckmask," hosted XenoRAT and PowerShell loaders that blended malicious traffic with legitimate GitHub API activity to evade detection.
Lazarus Group ran "Marstech Mayhem," targeting software and Web3 developers through malicious npm packages and GitHub repositories, scanning infected systems for MetaMask, Exodus and Atomic wallets while modifying browser configurations to silently intercept transactions. SecurityScorecard confirmed at least 233 victims across the United States, Europe and Asia. Lazarus also extended its long-running "Contagious Interview" cluster, posing as recruiters on LinkedIn to lure developers in cryptocurrency and travel sectors into reviewing trojanised project code on GitHub or Bitbucket — a campaign that delivered a cross-platform JavaScript stealer, a Python backdoor, and additional .NET payloads. A separate Nisos investigation uncovered a coordinated network of suspected DPRK-linked IT workers using fake GitHub portfolios — complete with fabricated commit histories and synchronised co-author activity — to secure remote engineering jobs in Japan and the United States.
Other groups followed the same template. Brazil's Astaroth banking trojan used GitHub repositories to host configuration data hidden inside images via steganography, enabling resilient recovery after C2 takedowns. Colombia's Blind Eagle (APT-C-36) hosted Remcos RAT, HeartCrypt and PureCrypter payloads on GitHub and Bitbucket while compromising more than 1,600 victims across judicial, government and private targets. Taiwan's CrazyHunter ransomware operation built roughly eighty percent of its toolkit from modified GitHub-hosted open-source tools, including Bring-Your-Own-Vulnerable-Driver techniques and a customised Prince ransomware variant.
The convergence is unmistakable: GitHub is now espionage infrastructure as much as it is development infrastructure. For UAE enterprises with public repositories, organisation accounts, or third-party developers contributing code, this means treating repository activity as security telemetry. Anomalous repository creation, unusual API call patterns, off-hours commits, and traffic to known abuse-prone forks all belong inside the SOC's detection ruleset.
Technology and software remained the most-targeted sector of 2025 for the second year running, but the most consequential breaches were the ones where DevOps platforms were the entry point into operations far outside the SDLC.
Red Hat's GitLab consulting environment was compromised in October by the Crimson Collective, which claimed to have copied data from as many as 28,000 repositories — including customer engagement reports that may have held configurations, architecture details and credentials. The follow-on impact reached Nissan, which confirmed in December that around 21,000 Japanese customers had been affected through the Red Hat-managed GitLab environment used for Nissan Fukuoka Sales' customer management system.
Jaguar Land Rover was hit twice. The Hellcat ransomware group used Jira credentials stolen years earlier by infostealer malware (Lumma) — credentials that had remained valid since 2021 — to infiltrate JLR's internal systems, with a second hacker operating under the alias APTS exfiltrating roughly 350GB beyond the initial leak. The September Scattered Lapsus$ Hunters attack forced the shutdown of global IT systems, halted manufacturing for more than a month, and contributed to a financial shortfall exceeding $890 million.
Telefónica faced repeated incidents: January's Jira compromise via stolen employee credentials exfiltrated approximately 2.3GB of internal tickets and documents; May's exploitation of a misconfigured Jira instance allegedly produced 106GB of internal data. Europcar confirmed a GitLab breach affecting up to 200,000 customers, with attackers stealing 37GB including SQL backups and 269 environment configuration files. Ascom's Jira ticketing system was breached for 44GB of data. Orange Group confirmed Jira-credential-based compromise. SK Telecom faced extortion claims tied to an alleged Bitbucket compromise containing Docker files, build configurations, Python extensions and AWS access keys. Toptal's GitHub organisation was breached and used to publish ten malicious npm packages — traced back to credentials exposed in the historic LastPass breach years earlier.
Disney's 1.1TB Slack exfiltration, kicked off by an employee downloading a malicious AI art tool from GitHub, demonstrated how a single compromised developer endpoint can produce a five-month data-theft window across 44 million messages, source code, unreleased project details, salary records and customer information. The University of Sydney's self-hosted GitLab compromise exposed personal data of more than 13,000 individuals. KiranaPro in India was driven offline entirely after attackers wiped its GitHub repositories and AWS infrastructure in a targeted insider-led attack.
The common denominator across nearly every one of these incidents is long-lived credentials that should have been rotated and were not, paired with detection regimes that took weeks or months to notice anomalous repository or ticket-system access. For UAE enterprises, the corollary is that secret management, credential rotation, and continuous monitoring of developer-platform access logs are not engineering hygiene — they are existential controls.
2025 marked a measurable shift in regulatory posture toward cybersecurity claims. The U.S. Department of Justice settled three substantial False Claims Act cases tied directly to inaccurate cybersecurity certifications: Health Net Federal Services and Centene paid $11.25 million for misrepresenting compliance with TRICARE cybersecurity controls between 2015 and 2018; MORSE Corp paid $4.6 million over falsified scoring against NIST SP 800-171 in DoD contracts; Raytheon and RTX paid $8.4 million tied to DFARS/FAR cybersecurity control failures.
The medical-device sector saw its first such enforcement: Illumina paid $9.8 million over false cybersecurity claims related to its genomic sequencing systems sold to federal agencies — significantly, with the DOJ arguing that misrepresentation alone constituted liability, regardless of whether any breach had occurred. The UK Information Commissioner's Office fined Capita £14 million following a 2023 cyber-attack that exposed personal data of 6.6 million people, after the firm failed to patch known vulnerabilities and took more than two days to isolate the compromised device. The Bank of England fined Vocalink £11.9 million for risk-management and governance failures under the Banking Act 2009. The Austrian Data Protection Authority ruled that Microsoft 365 Education had unlawfully tracked students, violating GDPR transparency principles — with significant implications across the EU.
GDPR enforcement overall logged 335 incidents in 2025, up from 297 in 2024. The longer-term trend remains downward from over 520 incidents in 2023, but the year-on-year rebound signals renewed enforcement activity. For UAE entities operating cross-border under PDPL, DIFC's Data Protection Law, ADGM Data Protection Regulations and sector-specific cyber rules from VARA, DFSA, SCA and CBUAE, the implication is direct: the regulator's posture is shifting from "demonstrate intent" to "evidence the controls actually operate." Documentation alone, without verifiable monitoring and incident response, is increasingly insufficient.
Reading the 2025 record holistically, ten controls separate the organisations that absorbed the year well from those that became the case studies.
1. Treat AI assistants as untrusted actors by default. Sanitise all input flowing into agents. Sandbox all output. Scope agent capabilities tightly. Require human-in-the-loop review for any privileged action. Continuously monitor AI-driven activity across IDEs, CI/CD and collaboration tools.
2. Harden CI/CD pipelines to Tier-0 standards. Eliminate long-lived tokens. Use short-lived OIDC-issued credentials. Pin third-party actions to commit SHAs, never tags. Block pull_request_target workflows that touch secrets. Generate SBOMs for every release. Scan pre-commit and post-merge for secrets and malicious packages.
3. Make identity the new perimeter — and make it phishing-resistant. Roll out FIDO2 or hardware tokens for all administrative accounts. Restrict OAuth device-code flows via Conditional Access. Govern app consent centrally with allowlists. Block legacy authentication. Monitor authenticated sessions for behavioural anomalies rather than failed-login events alone.
4. Rotate credentials continuously and treat secrets as infrastructure. Centralise secrets in a managed vault. Automate rotation on policy-driven cadence. Audit historical commit histories for embedded credentials. Eliminate hardcoded secrets at source.
5. Design for cloud concentration risk. Multi-region deployments. Independent backup communication channels. Immutable, encrypted backups across multiple providers. Tested point-in-time recovery. Incident-response playbooks that assume any single provider will fail on the day it matters.
6. Patch on a continuous, exploitability-prioritised cadence. Service-level objectives that survive regulator scrutiny. Inventory all third-party dependencies — not just direct, but transitive. Subscribe to platform security advisories and treat them as operational, not informational.
7. Verify repository and package provenance before consumption. Distrust popularity metrics. Inspect maintainer history. Run dependency-confusion checks. Validate proof-of-concept exploit code in isolated environments before execution. Treat dormant accounts publishing polished new projects as a red flag.
8. Build a SOC capable of detecting DevOps-platform abuse. Ingest GitHub, GitLab, Atlassian, Microsoft 365 and cloud audit logs. Detect anomalous repository activity, off-hours commits, unusual API call patterns, and suspicious OAuth consents. Tune behavioural rules for the platforms your developers actually use.
9. Test resilience, do not assume it. Run tabletop exercises that include simulated AWS, Microsoft 365 and GitHub outages. Conduct purple-team exercises against your own CI/CD. Verify backups by restoring them on a scheduled cadence. Measure mean time to recover, not just mean time to detect.
10. Align compliance with operational truth. Document controls that actually operate. Generate evidence continuously, not at audit time. For VARA-, DFSA-, ADGM-, SCA-, CBUAE- and DHA-licensed entities, ensure cyber documentation matches operational reality — because regulators are increasingly testing that gap directly.
ITSEC has spent fourteen years building exactly this discipline for UAE enterprises. The 2025 threat record validates the architecture we have been advocating since long before AI assistants and PhaaS kits made it mainstream.
For the AI and supply-chain risks at the top of this list, our Application Security and DevSecOps practice integrates SAST, DAST, SCA, secrets-scanning and SBOM generation directly into client CI/CD pipelines, with bespoke detection logic for prompt-injection and malicious-action patterns. Our Penetration Testing and Red Team services include explicit DevOps-platform assessments — testing the security of your GitHub organisations, your GitLab self-managed environments, your Jira and Confluence configurations, your Microsoft 365 OAuth governance, and your AWS, Azure and GCP IAM postures.
For identity and credential exposure, our Identity and Access Management engineering deploys phishing-resistant MFA, Conditional Access policies, app consent governance, and continuous monitoring of authenticated sessions across hybrid Microsoft 365 and SaaS environments. Our Managed SOC and SIEM services ingest the developer-platform telemetry that most internal teams overlook, with detection rules tuned specifically to the abuse patterns documented through 2025.
For compliance, our Governance, Risk and Compliance consulting — delivered jointly with SecureVisa Group for licence-bearing entities — aligns documented controls with operational reality across VARA, DFSA, SCA, ADGM, CBUAE, DHA, ADHICS and ISR mandates. And our Blockchain Security practice extends every one of these controls into the smart-contract, wallet-architecture and custody-platform layers that VARA-licensed entities depend on.
Across product, our internal compliance engineering — VeriFiX for KYC, KYB, AML and KYT, and ComplianceX for unified risk and compliance workflows — is built to consume signals from these same platforms and surface anomalies that traditional GRC tooling misses entirely.
The dominant trend was the convergence of three vectors: AI assistant abuse via prompt injection, software-supply-chain compromise via long-lived tokens and permissive CI/CD workflows, and identity attacks via Phishing-as-a-Service kits that bypass MFA. Each vector is independently serious; the systemic risk is that attackers increasingly chain them together, using a stolen GitHub PAT to pivot into a cloud account, or an AI prompt injection to exfiltrate secrets that then enable supply-chain compromise.
According to GitProtect's 2026 report, 607 incidents were logged across GitHub, GitLab, Azure DevOps, Jira and Bitbucket — 156 of them critical or major, consuming over 1,750 hours of downtime. Vendors patched 236 vulnerabilities, including fourteen with CVSS scores of 9.0 or higher and 126 rated high severity. Both volume and severity rose sharply in the second half of the year.
Modern Phishing-as-a-Service platforms — Tycoon 2FA, VoidProxy, Whisper 2FA, Salty 2FA and others — operate as adversary-in-the-middle reverse proxies. They sit between the victim and the legitimate login page, intercept credentials and MFA codes in real time, and capture the authenticated session cookie returned by the service. The attacker then uses that cookie to access the account, bypassing MFA entirely. The defensive response is phishing-resistant MFA — FIDO2 keys, hardware tokens, or certificate-based authentication — which cryptographically binds the authentication to the legitimate site and cannot be replayed.
VARA-licensed virtual-asset firms should prioritise three areas. First, identity hardening: phishing-resistant MFA, OAuth app governance, and continuous monitoring of authenticated sessions across Microsoft 365 and developer platforms. Second, CI/CD security: short-lived OIDC tokens, pinned action references, secret-scanning, SBOM generation, and segregation of build environments from production wallet logic. Third, third-party supply-chain risk: SBOM coverage, dependency-confusion controls, provenance verification for every imported package or repository. These three areas map directly to the VARA Technology and Information Risk Rule and the broader TLPT and key-governance requirements.
AI coding assistants and agentic tools introduce three new attack surfaces. Prompt injection: untrusted input embedded in code, issues, pull requests, emails or tickets can hijack an AI agent's behaviour and turn it into an attacker proxy with the developer's privileges. Output trust: AI-generated code is increasingly accepted with minimal review, embedding insecure patterns and accelerating defect propagation. Tool capability: AI agents with write access to configuration files, repository contents or cloud resources can be coerced into privileged actions that the human user would never approve. The 2025 IDEsaster, PromptPwnd, EchoLeak and "Living off AI" disclosures demonstrate each of these in production.
For most UAE enterprises, eliminating long-lived personal access tokens and replacing them with short-lived OIDC-issued credentials is the highest-leverage single change. Long-lived tokens are the root cause behind a disproportionate share of 2025's worst breaches — JLR, Telefónica, Toptal, Home Depot, the tj-actions chain — and the remediation is well-understood and tooling-supported across GitHub, GitLab and the major cloud providers. Pair it with mandatory secret-scanning at commit and pre-receive, and you eliminate the dominant attack vector behind supply-chain compromise.
Through structured purple-team exercises against the CI/CD and identity stack, combined with tabletop exercises that simulate GitHub, GitLab, AWS and Microsoft 365 outages. The objective is not to prove the controls work — it is to discover where they fail, in a controlled setting, before the attackers do. ITSEC runs these exercises regularly for UAE enterprises across financial services, healthcare, virtual assets and telecommunications, with explicit reporting against regulator-aligned control frameworks.
In the gap between documented controls and operational reality. The Illumina, Capita, Raytheon and Health Net cases all involved certifications that did not match actual control operation. UAE entities subject to VARA, DFSA, SCA, ADGM, CBUAE, DHA, ADHICS or ISR mandates should generate compliance evidence continuously — through instrumented controls, automated logging, and exception-based exception handling — rather than reconstructing it at audit time.
The 2025 record is unambiguous: development environments are now primary attack surfaces. AI assistants, CI/CD pipelines, identity flows, and the long-lived credentials that thread between them are where the next wave of UAE enterprise breaches will originate — unless security leaders treat them as such.
The good news is that the controls work. Phishing-resistant MFA defeats VoidProxy and Tycoon. Short-lived OIDC credentials defeat the tj-actions and nx attack patterns. Pinned action references defeat GhostAction. Continuous secret-scanning defeats the long-tail of leaked tokens. AI sandboxing and human-in-the-loop review defeat IDEsaster and EchoLeak. Cloud-concentration design defeats the AWS-and-Cloudflare cascade. Each control is known, deployable, and operationally tested.
What separates the organisations that absorbed 2025 well from those that became case studies is whether they treated these controls as mandatory baseline or as items on a roadmap. For UAE enterprises moving into 2026 — particularly those in regulated sectors where cyber resilience is increasingly a licence condition rather than a best practice — the choice is now explicit and the deadline is now.
ITSEC builds, tests and operates the architecture that closes these gaps for UAE enterprises every day. If your 2026 strategy includes any of the above — DevSecOps hardening, identity modernisation, regulator-aligned compliance, blockchain and VASP security, or full-spectrum managed SOC — let us help you design the controls, prove they operate, and document the evidence regulators are now actually testing.
Talk to ITSEC's UAE cybersecurity team: itsecnow.com/contact | Dubai-headquartered, MENA-focused, since 2011.
Analytical source: GitProtect, "2026 DevOps Threats Unwrapped Report" (April 2026). All operational interpretation, UAE regulatory mapping, and security-control framing in this article is ITSEC's own. The original report draws on publicly available status pages, vendor advisories, and reported incidents.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.