GitHub project maintainers targeted with fake security alert
A phishing campaign targeting GitHub account owners has been trying to scare them with a fake security alert into allowing a malicious OAuth app access to their account and repositories.
The fake security alert from GitHub
GitHub users have taken to social media to warn others about emails ostensibly coming from the GitHub Security Team, alerting recipients about an “unusual access attempt” from an IP address/device located in Reykjavik, Iceland.
The attackers mounted this campaign by creating a GitHub issue containing the fake security alert, then relying on GitHub to automatically send notification emails to the project maintainers.
The malicious GitHub issue (Source: @devabdultech)
The phishers have been rotating GitHub accounts to create the issues because GitHub has been shutting them down after they get flagged by targets that saw through the scam.
Malicious opened issues (Source: Help Net Security)
What to do?
Users who have taken the warning at face value, clicked one of the links in the email to secure their account, logged into their account and authorized the Security App (“gitsecurityapp”) OAuth app to supposedly help them in this task have effectively opened the door to their account to the crooks behind this scheme.
The malicious OAuth app allows the attackers to access the target’s public and private repositories, profile info, discussions, update GitHub Action Workflow files, and delete repositories. What they actually do with the acquired access is currently unknown.
Users who have fallen for the scheme are advised to revoke the app’s access, secure their account by changing their login credentials and authorization tokens, and to look for and delete additions and modifications made in their repositories in the meantime.