Massive GitHub Phishing Attack Targets 12,000 Repositories

By /

Listen to this Post

A Sophisticated Phishing Scheme Exploiting GitHub OAuth

A large-scale phishing campaign has recently targeted nearly 12,000 GitHub repositories, tricking developers with fake security alerts. The attackers used fraudulent “Security Alert” issues to lure victims into authorizing a malicious OAuth application, which granted them full control over affected GitHub accounts and their repositories.

The phishing messages falsely claimed that GitHub detected an “Unusual Access Attempt” from Reykjavik, Iceland (IP: 53.253.117.8). They urged users to take immediate action by clicking on links that supposedly led to security settings but instead redirected them to authorize a malicious OAuth app called “gitsecurityapp.”

This campaign, first spotted by cybersecurity researcher Luc4m, involved links that requested excessive permissions, including full repository access, user profile modifications, organization details, discussion rights, and even repository deletion capabilities.

Once a victim authorized the app, a malicious access token was generated and sent to an attacker-controlled web service hosted on Render. With these credentials, attackers could manipulate repositories, exfiltrate sensitive code, and even insert malicious modifications into open-source projects.

The attack started early in the morning (6:52 AM ET) and remains active. However, the fluctuating number of affected repositories suggests GitHub is actively responding.

How to Protect Your GitHub Account

If you accidentally authorized this malicious app, take the following steps immediately:

  1. Revoke Access: Go to GitHub Settings > Applications, and remove any suspicious OAuth apps, particularly those named “gitsecurityapp.”
  2. Check for Unusual Activity: Review your GitHub Actions (Workflows) and ensure that no unexpected private gists were created.
  3. Rotate Credentials: Update your passwords, API tokens, and SSH keys to prevent further unauthorized access.
  4. Enable Two-Factor Authentication (2FA): Strengthen your account security by requiring an extra layer of verification.

GitHub has been contacted regarding the phishing attack, and updates are expected as they respond to the incident.

What Undercode Say:

This phishing attack is a classic example of how cybercriminals exploit trust and urgency to compromise accounts. By disguising their scam as a security alert, attackers manipulate victims into acting impulsively, effectively bypassing traditional security measures.

Why Was This Attack Effective?

  1. Social Engineering Tactics – The fake security warning preyed on users’ fear of unauthorized access, compelling them to act immediately.
  2. OAuth Exploitation – By requesting broad permissions, attackers could perform multiple malicious actions within compromised accounts.
  3. Legitimate GitHub Interface – The phishing links directed victims to an actual GitHub authorization page, reducing suspicion.

Potential Consequences for Developers

  • Loss of Intellectual Property: Attackers can clone or steal proprietary source code.
  • Malware Injection into Open-Source Projects: A compromised repository could be modified to distribute malicious code to unsuspecting users.
  • Reputation Damage: Developers and organizations using these repositories may lose credibility if their code is compromised.

How GitHub Can Improve Security

To mitigate similar threats, GitHub could introduce:

  • Stricter OAuth Permission Reviews – Alerting users if an app requests excessive access.
  • AI-Powered Phishing Detection – Automatically flagging and removing fraudulent repository issues.
  • Enhanced User Verification – Implementing secondary authentication before allowing OAuth app approvals.

This attack serves as a warning for developers to remain vigilant and never approve OAuth applications without verifying their legitimacy.

Fact Checker Results:

  • The attack targeted nearly 12,000 repositories, indicating a large-scale operation.
  • The phishing messages used a real GitHub authorization page, making detection harder.
  • GitHub is actively responding, but users must take action to secure their accounts.

References:

Reported By: https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: