Cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits GitHub notification emails to deliver stealthy malware to software developers.
By compromising GitHub bot accounts and sending messages that closely mimic legitimate repository alerts, attackers have successfully bypassed advanced email filters and targeted open-source contributors across multiple platforms.
Hijacked GitHub Notification Bots
The threat actors initiate the campaign by gaining unauthorized access to GitHub bot accounts that have permission to generate automated issue and pull request notifications.
Initial compromise vectors include phishing attacks against personal accounts, credential stuffing using leaked password databases, and exploitation of weak OAuth tokens granted overly broad scopes.
Once inside, the attackers modify existing bot configurations to dispatch crafted notification emails to subscribers of active repositories.
Each phishing email replicates GitHub’s standard branding down to the last detail complete with valid DKIM signatures and matching SMTP headers from smtp.github.com effectively evading SPF/DKIM/DMARC-based defenses.
The messages contain links to what appears to be a grants application portal (https://grants.github.com/apply), but the domain uses a homoglyph phishing trick: the Latin “i” in “github” is replaced by a Cyrillic “і” (U+0456), directing victims to a malicious server.
OAuth Abuse and Payload Delivery
Upon clicking the deceptive link, recipients encounter a fake OAuth authorization screen for an application named “Gitcoin Passport.” This prompt requests broad read/write permissions to all repositories and workflows.
Developers who approve the request inadvertently grant the attackers persistent access to inject malicious code into build pipelines and web-based IDE instances such as Gitpod and GitHub Codespaces.
Post-authorization, the attackers deploy a JavaScript backdoor that hooks into common development workflows. The backdoor silently captures environment variables, API tokens, and private keys, exfiltrating them to command-and-control servers.
Additionally, the malicious script can modify continuous integration (CI) scripts, introducing further compromise chains into downstream dependencies and third-party package managers.
Mitigation and Recommendations
To defend against this emerging threat, organizations should enforce the principle of least privilege on OAuth tokens, restricting scopes to only the permissions necessary for each integration.
Regularly rotate and audit personal access tokens and OAuth application grants to ensure outdated credentials are revoked. Enabling SAML Single Sign-On (SSO) with mandatory multi-factor authentication for all GitHub access can significantly reduce the risk of unauthorized login and token misuse.
Email security solutions must incorporate Unicode and punycode inspections to detect domain homoglyphs.
Administrators should configure gateways to flag DKIM signatures that do not align with known GitHub key IDs and to quarantine emails with suspicious “Reply-To” headers that deviate from standard GitHub domains.
Developers are advised to manually verify OAuth consent screens by checking the application’s GitHub Marketplace listing and scrutinizing requested scopes before approval.
When in doubt, navigate directly to GitHub’s web interface to review notifications rather than clicking embedded email links.
As attackers continue to refine their techniques, maintaining vigilance in email analysis, OAuth governance, and developer security hygiene is essential to safeguarding open-source ecosystems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
