A recent phishing campaign has targeted nearly 12,000 GitHub repositories by creating fake "Security Alert" issues. These alerts deceive developers into authorizing a malicious OAuth application, granting attackers complete control over their accounts and code repositories.

Details of the Phishing Campaign

The phishing issues falsely warn users of unusual activity on their GitHub accounts, allegedly from Reykjavik, Iceland, using the IP address 53.253.117.8. The alerts prompt users to update their passwords, review active sessions, and enable two-factor authentication. However, all links redirect to a GitHub authorization page for a malicious OAuth app named "gitsecurityapp."

OAuth App Permissions

The malicious OAuth app requests extensive permissions that allow attackers to:

  • repo: Access both public and private repositories fully.
  • user: Read and write to the user profile.
  • read:org: Access organization membership and projects.
  • read:discussion, write:discussion: Manage discussions.
  • gist: Access GitHub gists.
  • delete_repo: Delete repositories.
  • workflows: Control GitHub Actions workflows.

Impact and Response

Once a user authorizes the OAuth app, an access token is generated and sent to a callback address hosted on onrender.com. The campaign began at 6:52 AM ET and continues to target repositories, although GitHub's response efforts are ongoing.

Steps for Affected Users

If you authorized the malicious app, immediately revoke its access by navigating to GitHub Settings and then Applications. Revoke any suspicious GitHub Apps or OAuth apps, particularly those resembling 'gitsecurityapp.' Check for unexpected GitHub Actions or private gists and rotate your credentials and tokens.

The link has been copied!