105/68 Tuesday, March 18, 2025
GitHub developers are being targeted in a large-scale phishing campaign that uses fake security alerts to trick users into approving a malicious OAuth app. Attackers send deceptive notifications warning of an “unusual access attempt” from Reykjavik, Iceland, citing a suspicious IP address 53.253.117.8 to create urgency. The notification includes a link that, when clicked, directs users to an authorization page for a malicious OAuth app called “gitsecurityapp”, which requests access to sensitive data, including reading and writing code, deleting repositories, managing GitHub Actions, and accessing user information.
If a developer mistakenly grants permission, the malicious app obtains an access token to their GitHub account, allowing attackers to exfiltrate data to a server hosted on Render. Investigations reveal that the phishing campaign started at 6:52 AM ET and remains active, affecting nearly 12,000 repositories. GitHub is believed to be working on countermeasures, but developers who have yet to inspect their accounts remain at risk of further attacks.
Impacted users should take immediate action, including revoking suspicious OAuth app access via GitHub settings, reviewing GitHub Actions and unfamiliar gists, and resetting credentials and tokens to prevent unauthorized access. Security experts warn that similar attacks may occur in the future, urging developers to exercise caution when encountering unusual security alerts.
