What is the recent phishing campaign targeting GitHub users?

A phishing campaign discovered on March 16, 2025, is targeting GitHub users with fake 'Security Alert' issues. The campaign affects nearly 12,000 repositories and attempts to trick developers into authorizing a malicious OAuth application that grants attackers comprehensive control over victims' accounts and code repositories.

What permissions does the malicious OAuth app request?

The malicious OAuth app requests extensive permissions including: full access to public and private repositories (repo), ability to read and write to the user profile (user), read organization membership (read:org), read and write access to discussions (read:discussion, write:discussion), access to GitHub gists (gist), permission to delete repositories (delete_repo), and control over GitHub Actions workflows (workflows, workflow, write:workflow, read:workflow, update:workflow).

What should users do if they may have been affected by this GitHub phishing attack?

Users who may have been affected should take immediate remedial steps: 1) Revoke access to the malicious OAuth app by going to GitHub Settings > Applications and removing any suspicious apps, particularly those resembling 'gitsecurityapp'. 2) Check for unexpected GitHub Actions (Workflows) that may have been created. 3) Verify whether private gists were created without authorization. 4) Rotate all credentials and authorization tokens.

How many GitHub repositories have been affected by this phishing campaign?

Nearly 12,000 repositories have been affected by this phishing campaign with fake 'Security Alert' issues.

Attack

Phishing campaign targeting developers via GitHub uses OAuth app to hijack accounts

Q: How does the GitHub phishing attack work?

The attackers create fake GitHub issues on public repositories with a warning message claiming to detect unusual login activity from Reykjavik, Iceland, originating from IP address 53.253.117. By design, any issue created on a repository is sent to the repo owner as an email from a GitHub email address, giving credibility to the scam. The phishing message encourages users to update passwords, review active sessions, and enable two-factor authentication—but all provided links direct victims to authorize a malicious OAuth app named 'gitsecurityapp'.

Q: When did the GitHub phishing campaign begin?

The phishing campaign began at 6:52 AM ET on March 16, 2025, and is ongoing, though the fluctuating number of affected repositories suggests GitHub is actively responding to the attack.

published: March 17, 2025

Take action: If you get an email message from GitHub about security issues, don't click on anything from the email. Visit GitHub, and use the web interface to reset passwords and review OAuth apps via GitHub Settings > Applications. And NEVER trust a OAuth app that requests huge permissions. It's a scam.

Learn More

A phishing campaign has been discovered targeting GitHub users, affecting nearly 12,000 repositories with fake "Security Alert" issues. The campaign, identified on March 16, 2025, tries to trick developers into authorizing a malicious OAuth application that grants attackers comprehensive control over victims' accounts and code repositories.

The attackers create fake GitHub issues on public repo with a warning message claiming to detect unusual login activity from Reykjavik, Iceland, originating from IP address 53.253.117. By design, any issue created on a repository will be sent to the repo owner as an email from a github email address - giving credibility to the scam.

The phishing message encourages users to update their passwords, review active sessions, and enable two-factor authentication—all seemingly legitimate security recommendations. But all provided links direct victims to authorize a malicious OAuth app named "gitsecurityapp."

When users authorize this application, it requests extensive permissions that provide attackers with dangerous levels of access:

repo: Full access to public and private repositories
user: Ability to read and write to the user profile
read:org: Read organization membership, organization projects, and team membership
read:discussion, write:discussion: Read and write access to discussions
gist: Access to GitHub gists
delete_repo: Permission to delete repositories
workflows, workflow, write:workflow, read:workflow, update:workflow: Control over GitHub Actions workflows

If a user authorizes the app, an access token is generated and sent to the app's callback address, which in this campaign has utilized various web pages hosted on onrender.com

The phishing campaign began at 6:52 AM ET on March 16 and is ongoing, though the fluctuating number of affected repositories suggests GitHub is actively responding to the attack. Cybersecurity researcher Luc4m was first to identify and report the fake security alerts.

Users who may have been affected by this attack should take immediate remedial steps:

Revoke access to the malicious OAuth app by going to GitHub Settings > Applications and removing any suspicious apps, particularly those resembling 'gitsecurityapp'
Check for unexpected GitHub Actions (Workflows) that may have been created
Verify whether private gists were created without authorization
Rotate all credentials and authorization tokens

Phishing campaign targeting developers via GitHub uses OAuth app to hijack accounts

Read More
GeoServer flaw actively targeted by hackers, patch now
CISA reports active expploit of Sierra Wireless Router …
OwnCloud critical vulnerabilities already activelly attacked
Microsoft NTLM hash disclosure vulnerability now actively exploited
Broadcom Brocade Fabric SAN vulnerability actively exploited