A phishing operation has compromised close to 12,000 GitHub repositories by deploying fake “Security Alert” issues. This campaign deceives developers into granting authorisation to a rogue OAuth application, allowing cybercriminals to seize complete control over their accounts and repositories, reported BleepingComputer. Every issue warns users of suspicious activity from Reykjavik, Iceland, linked to the IP address 53.253.117.8.

GitHub, a widely used platform for software development version control, allows developers to collaborate on projects efficiently. It hosts millions of repositories containing both public and private code, making it an attractive target for cybercriminals seeking valuable data or the ability to disrupt projects.

Cybersecurity expert Luc4m was the first to identify these deceptive security alerts on the platform. The fake alerts advise users to change their passwords, review active sessions, and enable two-factor authentication for enhanced security. However, links provided in these instructions redirect users to an authorisation page for a malicious OAuth application labelled “gitsecurityapp.” This app seeks extensive permissions that could grant full access to users’ accounts and repositories.

OAuth (Open Authorisation) is a standard protocol that allows applications to request secure access to user data without exposing credentials like passwords. While OAuth is designed to enhance security by enabling users to grant limited permissions, it can be exploited if users are tricked into authorising malicious apps.

Wide-ranging permissions sought

The permissions requested by the rogue app include full access to both public and private repositories, the ability to read and modify user profiles, and privileges over GitHub Actions workflows. If a user authorises the app, an access token is generated and communicated back to the application’s callback address on various web pages hosted by Render.

According to BleepingComputer, the phishing campaign commenced on 16 March at 6:52 AM ET. Although the number of affected repositories is nearing 12,000, it appears to fluctuate as GitHub actively responds to mitigate the attack. Users impacted by this breach are urged to revoke OAuth app access via GitHub Settings under Applications.

From this section, users should promptly revoke access for any suspicious or unrecognised apps, particularly those named similarly to ‘gitsecurityapp.’ Users are also encouraged to inspect for unexpected GitHub Actions or private gists and rotate any credentials or authorisation tokens as a precautionary measure.

In late 2024, reports surfaced that GitHub was being exploited to distribute malware aimed at harvesting sensitive information. This malware, identified as ‘Lumma Stealer,’ was disseminated via fraudulent “fixes” posted in the comments sections of several GitHub projects. The malicious activity was first reported by a contributor to the Teloxide Rust library, who detailed their experience on Reddit. They observed numerous comments on their GitHub issues that pretended to offer helpful fixes but were, in fact, attempts to spread malware.

Read more: GitHub exploited to spread password-stealing malware disguised as legitimate fixes