GitHub is being abused as a command-and-control channel by Kimsuky and ScarCruft in active campaigns targeting South Korean organizations, with raw content and API endpoints serving as C2 beaconing destinations that blend with legitimate developer traffic. No vulnerability in GitHub itself is exploited; the risk is the abuse of platform reputation to bypass network-layer controls. Organizations should scope outbound access to raw.githubusercontent.com and api.github.com by source system type, restricting it to systems with documented developer justification and alerting on non-developer endpoints making regular-interval requests to these endpoints.