GitHub Phishing: Malicious OAuth Apps Target Developers

A sophisticated phishing technique targeting software developers has been uncovered by cybersecurity researchers. The attack abuses GitHub’s native notification system to deliver malicious OAuth app authorization requests.

This attack is particularly dangerous because it uses GitHub’s trusted infrastructure, making it extremely hard for victims to distinguish it from a legitimate security alert.

Developers are among the most valuable targets for cybercriminals today. They write and manage the code that powers applications, CI/CD pipelines, and production servers.

By compromising a developer’s account, an attacker gains direct access to source code, private repositories, and automated workflows, which can then be used to inject malicious code into software supply chains at scale.

Recent supply chain attacks involving widely used projects like Axios and LiteLLM, each with over 100 million weekly downloads, highlight how damaging these breaches can be.

Atsika analysts identified this phishing campaign while researching lesser-known initial access techniques targeting developers on GitHub. The researchers noted that attackers do not rely on the typical Attacker-in-The-Middle approach.

Instead, they exploit GitHub’s built-in issue notification system, which automatically sends an email to any user mentioned in an issue description, pushing phishing content directly to a developer’s inbox from GitHub’s own no-reply address.

What makes this campaign especially alarming is its zero-cost setup. An attacker needs nothing more than a free GitHub account, a malicious OAuth application, and a free hosting server.

The threat actor creates a fake GitHub account impersonating an official security service, complete with a convincing display name and a fabricated repository.

They then build an OAuth app, named “MalGitApp” in the proof-of-concept, which requests dangerous permissions including full read and write access to public and private repositories, access to GitHub Actions workflows, and the user’s email and profile data.

Once a target clicks the phishing link embedded in the notification email, they are taken to a legitimate GitHub authorization page. The page displays the requested permissions, and if the developer approves, the attacker receives a valid access token.

This token allows the attacker to clone repositories, push backdoored code, and interact with automation workflows, effectively gaining partial control over the victim’s GitHub account.

How the TOCTOU Vulnerability Powers the Attack

One of the most technically notable findings from the Atsika research involves a Time-of-Check Time-of-Use (TOCTOU) race condition discovered in GitHub’s notification system.

Researchers found that an attacker can post an issue mentioning a target user, triggering an email notification, then immediately edit or erase the issue content within just two to three seconds.

Since GitHub sends the email based on the latest issue version rather than the original, the target receives a polished phishing message in their inbox, while the issue itself appears blank or shows a harmless title like “Loading error” to anyone checking the repository directly.

This trick makes it nearly impossible to trace the phishing content back to the attacker afterward, since all revisions can also be cleared.

To further avoid detection, attackers mask the phishing URL using link shorteners, since GitHub actively flags direct OAuth authorization URLs as suspicious.

Attackers also craft account and repository names that mimic official GitHub notifications, using names like “GH-Security/alert,” so the email subject line appears trustworthy at first glance.

Developers and organizations should take the following steps to reduce exposure:

• Always review permissions requested by any OAuth application before clicking “Authorize,” especially when the request arrives through an unexpected email
• Regularly audit authorized OAuth apps under GitHub account settings and revoke any apps that appear unfamiliar
• Be cautious of notification emails that urge immediate action, claim a security incident, or contain links to external authorization pages
• Restrict repository interactions by limiting who can open issues or mention users in public repositories
• Enable GitHub security alerts and monitor access token activity to detect unauthorized use early

Developers should remember that a legitimate security tool will never request full repository access through an unsolicited email notification.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.