June 10, 2024 at 06:25PM
Threat actors are impersonating GitHub’s teams in phishing attacks, aiming to hijack repositories using malicious OAuth apps. These attackers have been targeting developers with fake job offers or security alerts via phishing emails and redirecting them to fake GitHub landing pages, leading to compromised accounts and wiped repositories. GitHub advises users to report any suspicious activity and to use caution to avoid falling victim to such attacks.
From the meeting notes, we can conclude that there is an ongoing extortion campaign targeting GitHub users through phishing attacks. The threat actors are impersonating GitHub’s security and recruitment teams to send fake job offers or security alert emails, which redirect users to phishing landing pages where they are asked to sign into their GitHub accounts to authorize a new OAuth app. This app requests access to private repositories, personal user data, and the ability to delete adminable repositories.
After gaining access to the victims’ repositories, the attackers wipe the contents, rename the repository, and provide instructions to reach out on Telegram to recover the data. They claim to have stolen the victims’ data before destroying it and created a backup that could help restore the wiped repositories.
GitHub staff have been responding to community discussions about these attacks since February and have advised users to use abuse reporting tools to raise any abusive or suspicious activity. GitHub also warned users to take measures to ensure their accounts aren’t hijacked in these attacks, citing a previous phishing campaign dating back to September 2020.
Furthermore, BleepingComputer reached out to a GitHub spokesperson for more details regarding the Gitloker extortion campaign, but as of the meeting notes, they have yet to receive a reply.
It is clear that GitHub users are being targeted by a sophisticated and ongoing phishing campaign, and GitHub staff are actively working to address the malicious activity and support affected users.