Threat actors are impersonating GitHub’s security and recruitment teams in phishing attacks designed to hijack repositories through malicious OAuth apps. This ongoing extortion campaign has been wiping compromised repositories.
Since February, dozens of developers have received deceptive job offers or security alert emails from “[email protected].” These emails were sent after victims were tagged in spam comments and added to random repository issues or pull requests via compromised GitHub accounts.
The phishing emails direct recipients to fake landing pages at githubcareers[.]online or githubtalentcommunity[.]online, as identified by CronUp security researcher Germán Fernández. On these pages, users are prompted to sign into their GitHub accounts and authorize a new OAuth app requesting access to private repositories, personal user data, and the ability to delete any repository with admin access, among other permissions.
Victims of these attacks report having their accounts disabled and losing access to all repositories, likely because their accounts were reported for spam. Once attackers gain access to repositories, they wipe their contents, rename them, and add a README.me file instructing victims to contact them on Telegram to recover the data. The attackers claim to have stolen the victims’ data before destroying it and offered a backup that could restore the wiped repositories.
GitHub staff have been addressing community discussions about these attacks since February, explaining that the campaign exploits GitHub’s mention and notification functionality. They urge targeted users to report the malicious activity using GitHub’s abuse reporting tools.
A GitHub community manager stated, “We understand the inconvenience caused by these notifications. Our teams are currently working on addressing these unsolicited phishing notifications. We remind our users to use our abuse reporting tools to report any abusive or suspicious activity. This is a phishing campaign and not the result of a compromise of GitHub or its systems.”
Threat actors impersonate GitHub’s security and recruitment teams in #phishing attacks to #hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos☝️🤖https://t.co/6d3EWjCV6v pic.twitter.com/5QWxr9icuf
— Manuel Bissey (@manuelbissey) June 11, 2024
GitHub staff advised users to take the following precautions to protect their accounts:
- Do not click any links or reply to these notifications; report them instead.
- Never authorize unknown OAuth apps, as they can expose your GitHub account and data to third parties.
- Periodically review your authorized OAuth apps.
In September 2020, GitHub warned of another phishing campaign using emails with fake CircleCI notifications to steal GitHub credentials and two-factor authentication (2FA) codes through reverse proxies.
As always, users are urged to stay vigilant and follow security best practices to protect their accounts and data from such threats.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
