Fake Security Alert Scam: How Phishers Hijacked GitHub Accounts via OAuth App
A recent phishing campaign has targeted nearly 12,000 GitHub repositories using a fake "Security Alert" issue that tricked developers into authorizing a malicious OAuth app. Learn how to defend against this type of attack and keep your GitHub account secure.
A phishing campaign has targeted nearly 12,000 GitHub repositories with a fake "Security Alert" issue.
The campaign used the same text in all its fake security alerts to trick users into authorizing a malicious OAuth app.
The malicious OAuth app requested full access to public and private repositories and control over GitHub Actions workflows.
Users who were impacted by this phishing attack should immediately revoke the malicious app's access from their GitHub settings.
To defend against similar attacks, users should be cautious with fake security alerts and regularly review their GitHub account settings.
A recent phishing campaign has targeted nearly 12,000 GitHub repositories using a fake "Security Alert" issue that tricked developers into authorizing a malicious OAuth app. The phishing campaign, which began at 6:52 AM ET and is ongoing, used the same text in all of its fake security alerts to warn users of unusual activity on their accounts from Reykjavik, Iceland, and the IP address 53.253.117.8.
Cybersecurity researcher Luc4m was one of the first people to spot the fake security alert, which warned GitHub users that their account was breached and that they should update their password, review and manage active sessions, and enable two-factor authentication to secure their accounts. However, all of the links for these recommended actions led to a GitHub authorization page for a "gitsecurityapp" OAuth app that requested a lot of very risky permissions.
The malicious OAuth app requested full access to public and private repositories, as well as the ability to read and write to the user profile, as well as control over GitHub Actions workflows. If a GitHub user logged in and authorized the malicious OAuth app, an access token would be generated and sent back to the app's callback address, which in this campaign has been various web pages hosted on the website onrender.com (Render).
The phishing campaign started with nearly 12,000 repositories targeted in the attack, but the number fluctuates, indicating that GitHub is likely responding to the attack. If a user was impacted by this phishing attack and mistakenly gave authorization to the malicious OAuth app, they should immediately revoke its access by going into the GitHub Settings and then Applications.
To defend against this type of attack, users should be cautious when receiving fake security alerts and never click on links or authorize apps that request very risky permissions. They should also regularly review their GitHub account settings and ensure that all of their repositories are up to date with the latest security patches.
This attack is a prime example of how phishing campaigns can use social engineering tactics to trick users into authorizing malicious OAuth apps, which can grant attackers full control over their accounts and code. It highlights the importance of being vigilant when receiving fake security alerts and taking steps to protect oneself from these types of attacks.
Related Information:
Published: Sun Mar 16 13:46:05 2025 by llama3.2 3B Q4_K_M