Widespread GitHub Phishing Attack Targets Nearly 12,000 Repositories

A massive phishing campaign is sweeping through GitHub, hitting nearly 12,000 repositories with fake “Security Alert” issues. The scheme is tricking developers into granting full access to a malicious OAuth app, putting accounts and code at risk.

Fake Security Alerts Flood GitHub Repositories

Developers across GitHub woke up to an alarming message: their accounts had been accessed from Reykjavik, Iceland, via IP address 53.253.117.8. The warning, disguised as an official security notification, urged users to update passwords and enable two-factor authentication. However, every action led to one place—an authorization page for a fraudulent OAuth app named “gitsecurityapp.”

Cybersecurity researcher Luc4m was among the first to flag the attack. The deceptive GitHub issues all carried identical wording, creating a sense of urgency that made users more likely to fall for the scam.

Malicious OAuth App Requests Full Control

If users took the bait, they were directed to an authorization page requesting extensive permissions. The list of requested scopes should have raised immediate red flags:

• repo: Full access to public and private repositories
• user: Read and write privileges on user profiles
• read:org: Access to organization and team memberships
• read:discussion, write:discussion: Read and write permissions for discussions
• gist: Control over GitHub gists
• delete_repo: The ability to delete repositories
• workflows, workflow, write:workflow, read:workflow, update:workflow: Full control over GitHub Actions workflows

These permissions would allow attackers to steal source code, inject malicious changes, delete critical repositories, and hijack automated workflows—effectively seizing complete control over compromised accounts.

Attackers Leveraging Render to Host Malicious Callbacks

Once a user authorized the fake OAuth app, an access token was generated and sent to an external callback URL hosted on Render, a popular cloud hosting service. The attackers used various pages on onrender.com to receive stolen credentials.

The attack started early in the morning at 6:52 AM ET and remains ongoing. GitHub appears to be actively responding, as the number of affected repositories fluctuates. However, the attackers are adapting, continuing to spread the phishing links and creating new fake security alerts.

Steps to Protect Your GitHub Account

If you’ve been targeted or mistakenly authorized the malicious OAuth app, immediate action is necessary to secure your account:

1. Revoke OAuth App Access: Go to GitHub Settings > Applications and remove any suspicious GitHub Apps or OAuth integrations. Look for names similar to ‘gitsecurityapp.’
2. Check for Unauthorized Changes: Review new or unexpected GitHub Actions workflows and private gists that may have been created.
3. Rotate Credentials: Change your passwords and refresh any authorization tokens to prevent further unauthorized access.

GitHub has yet to provide an official response on the incident, but given the scale of the attack, additional security measures and platform-wide alerts may be expected soon.