Fake "Security Alert" Issues on GitHub Use OAuth App to Hijack Accounts Summary:
Summary:
A widespread phishing campaign is underway, where fake security alerts on are being posted on GitHub repositories to trick unsuspecting developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and source code. According to a security researcher who goes by the handle “Luc4M” on social media platform X, these fraudulent alerts appear as notifications about unusual login attempts on a developer’s GitHub account from “Reykjavik, Iceland,” with the IP address 53[.]253[.]117[.]8. The fake security alert advises the developer to update their password, review active sessions, and enable two-factor authentication, providing links for each of these actions. However, all these links lead to a GitHub authorization page for a "gitsecurityapp" OAuth app, which requests highly risky permissions that would grant attackers full access to the user’s account and repositories. If a developer falls for the phishing attempt and authorizes the malicious app, an access token is generated and sent back to the app’s callback address—currently hosted on various web pages on onrender[.]com.
Security Officer Comments:
GitHub continues to be a prime target for adversaries due its widespread use as a platform for developers and users alike to share and collaborate on various projects. With millions of active users and repositories containing valuable source code and at times sensitive data such as credentials, cybercriminals are increasingly leveraging the platform as a gateway to access and exploit this information, making it a key focal point for ongoing phishing campaigns.
In the latest phishing campaign, researchers note that the malicious OAuth application requests a range of risky permissions that give attackers extensive control over a developer's GitHub account. These permissions include full access to both public and private repositories, which could allow adversaries to alter, steal, or maliciously modify code. Additionally, the app grants read and write access to user profiles and discussions, opening the door for attackers to manipulate communication or gain insight into sensitive project information. The ability to delete repositories poses a significant risk, as valuable code could be erased without the developer’s knowledge. Moreover, the attackers can access GitHub gists, which often contain snippets of reusable code, and gain control over GitHub Actions workflows, potentially enabling them to inject malicious code into automated processes or disrupt ongoing development.
Suggested Corrections:
The latest campaign initiated on March 16, 2025 and has already targeted nearly 12,000 GitHub repositories, highlighting the need for developers to be vigilant and secure their accounts promptly in the event that they accidently authorized the malicious OAuth application. If you were affected by this phishing attack, you should immediately revoke the app’s access via GitHub Settings → Applications (remove unfamiliar or suspicious OAuth apps), particularly those with names like 'gitsecurityapp.’ Additionally, review any new or unexpected GitHub Actions (Workflows), check for the creation of private gists, and rotate credentials and authorization tokens as needed.
Link(s):
https://www.bleepingcomputer.com/ne...s-on-github-use-oauth-app-to-hijack-accounts/
A widespread phishing campaign is underway, where fake security alerts on are being posted on GitHub repositories to trick unsuspecting developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and source code. According to a security researcher who goes by the handle “Luc4M” on social media platform X, these fraudulent alerts appear as notifications about unusual login attempts on a developer’s GitHub account from “Reykjavik, Iceland,” with the IP address 53[.]253[.]117[.]8. The fake security alert advises the developer to update their password, review active sessions, and enable two-factor authentication, providing links for each of these actions. However, all these links lead to a GitHub authorization page for a "gitsecurityapp" OAuth app, which requests highly risky permissions that would grant attackers full access to the user’s account and repositories. If a developer falls for the phishing attempt and authorizes the malicious app, an access token is generated and sent back to the app’s callback address—currently hosted on various web pages on onrender[.]com.
Security Officer Comments:
GitHub continues to be a prime target for adversaries due its widespread use as a platform for developers and users alike to share and collaborate on various projects. With millions of active users and repositories containing valuable source code and at times sensitive data such as credentials, cybercriminals are increasingly leveraging the platform as a gateway to access and exploit this information, making it a key focal point for ongoing phishing campaigns.
In the latest phishing campaign, researchers note that the malicious OAuth application requests a range of risky permissions that give attackers extensive control over a developer's GitHub account. These permissions include full access to both public and private repositories, which could allow adversaries to alter, steal, or maliciously modify code. Additionally, the app grants read and write access to user profiles and discussions, opening the door for attackers to manipulate communication or gain insight into sensitive project information. The ability to delete repositories poses a significant risk, as valuable code could be erased without the developer’s knowledge. Moreover, the attackers can access GitHub gists, which often contain snippets of reusable code, and gain control over GitHub Actions workflows, potentially enabling them to inject malicious code into automated processes or disrupt ongoing development.
Suggested Corrections:
The latest campaign initiated on March 16, 2025 and has already targeted nearly 12,000 GitHub repositories, highlighting the need for developers to be vigilant and secure their accounts promptly in the event that they accidently authorized the malicious OAuth application. If you were affected by this phishing attack, you should immediately revoke the app’s access via GitHub Settings → Applications (remove unfamiliar or suspicious OAuth apps), particularly those with names like 'gitsecurityapp.’ Additionally, review any new or unexpected GitHub Actions (Workflows), check for the creation of private gists, and rotate credentials and authorization tokens as needed.
Link(s):
https://www.bleepingcomputer.com/ne...s-on-github-use-oauth-app-to-hijack-accounts/