GitHub Phishing Campaign Abuses OAuth Apps via Issue Notifications
Key Takeaways A novel phishing campaign targets software developers by exploiting GitHub’s native issue notification system. Attackers leverage legitimate GitHub infrastructure and a...
Key Takeaways
- A novel phishing campaign targets software developers by exploiting GitHub’s native issue notification system.
- Attackers leverage legitimate GitHub infrastructure and a Time-of-Check Time-of-Use (TOCTOU) vulnerability to deliver malicious OAuth app authorization requests, making detection difficult.
- The attack grants threat actors significant control over compromised GitHub accounts, enabling potential supply chain attacks.
- The setup cost for this attack is minimal, requiring only a free GitHub account, a malicious OAuth application, and a basic hosting server.
Cybersecurity researchers have uncovered a sophisticated phishing operation specifically engineered to target software developers. This campaign ingeniously exploits GitHub’s inherent notification mechanisms to distribute fraudulent OAuth application authorization prompts, posing a significant risk to software supply chains.
Table Of Content
The danger of this attack lies in its utilization of GitHub’s trusted infrastructure. By originating from within GitHub’s ecosystem, the malicious notifications are incredibly difficult for recipients to differentiate from genuine security alerts. This technique circumvents many traditional phishing defenses, directly delivering deceptive content to a developer’s inbox.
Developers: Prime Targets for Supply Chain Compromise
Developers represent a highly valuable target for cybercriminals due to their privileged access to critical codebases, continuous integration/continuous delivery (CI/CD) pipelines, and production environments. A successful compromise of a developer’s account can provide attackers with direct access to source code, private repositories, and automated workflows. This access can then be leveraged to inject malicious code into software supply chains at scale, impacting numerous downstream users and organizations.
Recent high-profile supply chain incidents, such as those affecting widely adopted projects like Axios and LiteLLM, each boasting over 100 million weekly downloads, underscore the potentially devastating impact of such breaches. These events highlight the critical need for robust security measures protecting development environments and accounts.
Unmasking the GitHub Phishing Operation
Analysts at Atsika identified this phishing campaign during their research into less common initial access vectors targeting developers on GitHub. Their findings indicate that attackers are not employing typical Man-in-the-Middle (MitM) tactics. Instead, they are directly abusing GitHub’s built-in issue notification system.
This system automatically dispatches an email to any user mentioned within an issue description. The attackers exploit this feature to inject phishing content directly into a developer’s inbox, with the email appearing to originate from GitHub’s legitimate no-reply address.
The campaign’s alarming aspect is its near-zero setup cost. An attacker needs only a free GitHub account, a malicious OAuth application, and a readily available free hosting server. The threat actor initiates the attack by creating a deceptive GitHub account, often impersonating an official security service, complete with a convincing display name and a fabricated repository.
Following this, they develop a malicious OAuth application, exemplified as “MalGitApp” in the proof-of-concept. This application is designed to request extensive and dangerous permissions, including full read and write access to public and private repositories, control over GitHub Actions workflows, and access to the user’s email and profile data.
When a target clicks the phishing link embedded within the notification email, they are redirected to a legitimate GitHub authorization page. This page transparently lists the permissions requested by the malicious OAuth app. If the unsuspecting developer approves these permissions, the attacker is granted a valid access token. This token then enables the attacker to clone repositories, push backdoored code, and interact with automation workflows, effectively seizing partial control over the victim’s GitHub account.
How the TOCTOU Vulnerability Powers the Attack
A particularly notable discovery by Atsika researchers is a Time-of-Check Time-of-Use (TOCTOU) race condition within GitHub’s notification infrastructure. This vulnerability allows an attacker to manipulate the timing of issue creation and email notification.
Researchers found that an attacker can post an issue mentioning a target user, which immediately triggers an email notification. Crucially, the attacker can then rapidly edit or completely erase the issue content within a narrow window of two to three seconds. Because GitHub’s system generates the email notification based on the issue’s *latest* version rather than its original state, the target receives a meticulously crafted phishing message in their inbox.
Conversely, if the target or anyone else directly inspects the repository, the issue will appear blank or display an innocuous title like “Loading error.” This technique makes it exceedingly difficult to trace the phishing content back to the originating attacker, especially since all revision history can also be purged.
To further evade detection, attackers employ link shorteners to mask the phishing URL, as GitHub actively flags direct OAuth authorization URLs as suspicious. Additionally, attackers craft account and repository names to mimic official GitHub notifications, using names such as “GH-Security/alert,” ensuring the email subject line appears trustworthy at first glance.
What You Should Do
- Scrutinize OAuth App Permissions: Always meticulously review the permissions requested by any OAuth application before granting authorization, especially if the request arrives via an unexpected email notification.
- Regularly Audit Authorized Apps: Periodically review the list of authorized OAuth applications within your GitHub account settings and immediately revoke access for any unfamiliar or suspicious applications.
- Exercise Caution with Urgent Notifications: Be highly skeptical of notification emails that demand immediate action, claim a critical security incident, or contain links leading to external authorization pages.
- Restrict Repository Interaction: Where possible, limit who can open issues or mention users in public repositories to reduce potential attack vectors.
- Enable Security Alerts and Monitor Activity: Activate GitHub security alerts and actively monitor access token activity for any signs of unauthorized use or unusual behavior.
Developers must remain vigilant: a legitimate security tool or service will never request comprehensive repository access through an unsolicited email notification.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.