Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Home/Threats/Phishing Campaign Abuses GitHub, Jira Notifications to Bypass Security
Threats

Phishing Campaign Abuses GitHub, Jira Notifications to Bypass Security

Key Takeaways Cybercriminals are leveraging legitimate notification features within GitHub and Jira to distribute highly convincing phishing emails. These malicious emails originate from the...

Sarah simpson
Sarah simpson
April 13, 2026 5 Min Read
27 0

Key Takeaways

  • Cybercriminals are leveraging legitimate notification features within GitHub and Jira to distribute highly convincing phishing emails.
  • These malicious emails originate from the authentic infrastructure of GitHub and Atlassian, bypassing standard email security protocols like SPF, DKIM, and DMARC.
  • The primary objective of these attacks is credential harvesting, leading to potential account takeovers and broader network compromises.
  • Cisco Talos researchers identified this technique, dubbed “Platform-as-a-Proxy (PaaP),” noting a significant volume of abuse on specific dates.
  • Defenders must implement stricter verification processes for SaaS platform emails and integrate API audit logs for proactive threat detection.

Attackers Exploit Trusted GitHub and Jira Notifications to Launch Sophisticated Phishing Campaigns

A new and alarming phishing campaign is exploiting the inherent trust placed in widely used development and IT management tools, GitHub and Jira. Threat actors are manipulating the automated notification systems of these platforms to send highly credible phishing emails that originate directly from the vendors’ own servers, effectively sidestepping conventional email security measures. This sophisticated tactic was recently detailed in a comprehensive report by Cisco Talos.

Table Of Content

  • Key Takeaways
  • Attackers Exploit Trusted GitHub and Jira Notifications to Launch Sophisticated Phishing Campaigns
  • How the Attack Works: GitHub and Jira Notification Pipelines
  • GitHub Exploitation
  • Jira Exploitation
  • What You Should Do

The efficacy of this campaign lies in its deceptive simplicity. Unlike traditional phishing attempts that rely on spoofed sender addresses or meticulously crafted lookalike domains, which are often flagged by security tools, these malicious messages emanate from verified infrastructure. Emails appear to come from legitimate servers belonging to GitHub and Atlassian, the company behind Jira.

Because these messages adhere to all standard email authentication protocols, including SPF, DKIM, and DMARC, most security gateways lack the technical criteria to block them. This grants attackers an unprecedented level of legitimacy, making their phishing lures significantly harder for both automated systems and human recipients to detect as fraudulent.

Cisco Talos analysts have been actively monitoring this evolving threat, publishing their findings on April 7, 2026. Their research indicates a peak in malicious activity on February 17, 2026, when approximately 2.89% of all emails originating from GitHub’s infrastructure were linked to this abuse. Over a five-day period, roughly 1.20% of traffic from the “[email protected]” address contained an “invoice” lure in the subject line.

Talos researchers have coined the term “Platform-as-a-Proxy (PaaP) model” to describe this method. It is crucial to note that attackers do not need to compromise any systems or breach the security of these platforms. Instead, they leverage existing, legitimate features—such as repository commits or project invitations—as conduits to inject and deliver malicious content. The platforms themselves then handle the delivery, complete with their verified digital signatures and trusted branding, inadvertently lending credibility to the phishing attempts.

The ultimate goal in nearly all observed instances of this campaign is credential harvesting. Victims are enticed to click on deceptive links disguised as urgent billing alerts, fraudulent support contact numbers, or misleading account warnings. Once users submit their login credentials on these fake pages, attackers gain an unauthorized entry point, which can rapidly escalate to account takeovers, unauthorized access to sensitive data, and broader network compromise.

How the Attack Works: GitHub and Jira Notification Pipelines

The two platforms are exploited through distinct, yet equally effective, mechanisms:

GitHub Exploitation

On GitHub, the attack initiates with the creation of a new repository. The attacker then pushes a commit, meticulously crafting the commit message fields with social engineering content. GitHub’s commit interface provides two primary text areas: a mandatory short summary line and a longer, optional description field. Attackers strategically place an urgent call-to-action, such as a fake invoice or billing alert, in the summary. The extended description is then populated with the full scam message, including fraudulent phone numbers or malicious links.

Upon submission of this commit, GitHub’s automated system dispatches a notification email to all associated collaborators. This notification email embeds the complete malicious message within its body. The resulting email appears as a standard GitHub notification, complete with legitimate headers. Analysis of the raw email headers confirms the sending server as “out-28.smtp.github.com,” a valid GitHub mail server with the IP address “192.30.252.211.” Furthermore, the DKIM signature correctly identifies “d=github.com” and passes all authentication checks without triggering any security flags.

Jira Exploitation

The approach for Jira differs slightly. Attackers create a Jira Service Management project, assigning it a deceptive name like “Argenta.” They then embed their phishing message within the “Welcome Message” or “Project Description” fields of this project. Utilizing the “Invite Customers” feature, the attacker submits the target’s email address. Atlassian’s backend subsequently generates an automated invitation email, seamlessly incorporating the attacker’s malicious content into its own signed and branded template. The email arrives appearing as an official Jira system notification, complete with Atlassian’s recognizable branding footer, further enhancing its perceived legitimacy.

What You Should Do

  • Verify Sender Identity Beyond Basic Checks: Do not solely rely on SPF, DKIM, or DMARC passes for emails from SaaS platforms. These attacks demonstrate that even legitimate sending infrastructure can be abused.
  • Implement API Log Monitoring: Integrate GitHub and Atlassian API audit logs into your Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) systems. Configure alerts for unusual activities, such as mass user invitations, rapid project creation from untrusted locations, or changes in repository settings, before any phishing emails are sent.
  • Educate Users on Contextual Anomalies: Train employees to be suspicious of any email from GitHub, Jira, or similar platforms that contains financial requests, urgent payment demands, or unexpected account warnings. These platforms are not typically used for direct billing or critical financial notifications.
  • Direct Navigation for Sensitive Actions: Advise users to navigate directly to the official GitHub or Jira portal by typing the URL into their browser for any sensitive actions, rather than clicking on links embedded in notification emails.
  • Report and Automate Takedowns: Establish a process for quickly reporting suspicious activity and phishing attempts to the Trust and Safety teams of GitHub and Atlassian. Automating these reports can increase the operational cost for attackers, making such campaigns less viable.
  • Enhance Endpoint Protection: Ensure robust endpoint detection and response (EDR) solutions are in place to catch any malicious payloads or post-exploitation activities that might occur if a user falls victim to credential harvesting.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Nginx 1.29.8 and FreeNginx Patch Critical Vulnerabilities

Next Post

Rockstar Games Suffers Data Breach Affecting 78.6 Million Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us