Massive GitHub Phishing Attack Targets 12,000 Repositories with Fake Security Alerts
A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories, tricking developers into granting full access to their accounts and code. The attack, which is still ongoing, involves fake “Security Alert” issues warning of unauthorized login attempts.
Fake security alert issues created in GitHub repositories
Source: BleepingComputer
How the Scam Works
The phishing messages, posted as GitHub issues, claim that there was a suspicious login attempt from Reykjavik, Iceland (IP: 53.253.117.8). The message urges users to take immediate action by updating their password, reviewing active sessions, and enabling two-factor authentication (2FA).
Fake “Security Alert” issue posted to GitHub repositories
Source: BleepingComputer
However, all the provided links redirect to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp”. If a user unknowingly grants access, the attackers gain full control over their repositories, user data, workflows, and even the ability to delete repositories.
Permissions requested by malicious OAuth app
Source: BleepingComputer
Dangerous Permissions Requested
The malicious OAuth app requests extensive permissions, including:
- Full access to public and private repositories (repo)
- Read and write access to user profiles (user)
- Control over GitHub Actions workflows (write:workflow)
- Ability to delete repositories (delete_repo)
- Read organization memberships and projects (read:org)
Once authorized, the app sends an access token to a callback URL hosted on onrender.com (Render), allowing attackers to remotely control the compromised account.
OAuth authorization link with a callback to an onrender.com page
Source: BleepingComputer
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
GitHub’s Response and Ongoing Attack
The phishing campaign was first reported by cybersecurity researcher Luc4m. Since its detection, GitHub has been actively working to remove fraudulent issues, but the attack is still ongoing. The number of affected repositories fluctuates as GitHub takes action.
Trending: Major Cyber Attacks that shaped 2024
How to Protect Your GitHub Account
If you mistakenly granted access to the malicious OAuth app, take the following steps immediately:
Revoke the OAuth app’s access
- Go to GitHub Settings > Applications
- Look for any unfamiliar or suspicious OAuth apps (e.g., “gitsecurityapp”) and revoke their access
Review your GitHub Actions & Private Gists
- Check for unauthorized workflows in GitHub Actions
- Look for unexpected private gists that may contain stolen data
Rotate Your Credentials
- Reset your GitHub password
- Revoke and regenerate all authorization tokens
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
