.jpg?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
Beware of Fake GitHub “Security Alerts” Let Hackers Hijack Your Account Login Credentials
A widespread phishing campaign is currently targeting GitHub repositories with fake security alerts, potentially compromising thousands of developer accounts. Cybersecurity experts warn that these sophisticated attacks could grant hackers complete control over victims’ code repositories and personal information. Security researcher Luc4m first identified the phishing operation that targeted nearly 12,000 GitHub repositories with fraudulent “Security […] The post Beware of Fake GitHub “Security Alerts” Let Hackers Hijack Your Account Login Credentials appeared first on Cyber Security News.
A widespread phishing campaign is currently targeting GitHub repositories with fake security alerts, potentially compromising thousands of developer accounts.
Cybersecurity experts warn that these sophisticated attacks could grant hackers complete control over victims’ code repositories and personal information.
Security researcher Luc4m first identified the phishing operation that targeted nearly 12,000 GitHub repositories with fraudulent “Security Alert” issues.
The attackers have created GitHub accounts with deceptive names like “GitHub Notification” and proceed to open issues on well-known security repositories with the alarming title “Security Alert: Unusual Access Attempt”.
Fake GitHub “Security Alerts”
“We have detected a login attempt on your GitHub account that appears to be from a new location or device,” the fake alert reads.
The message consistently reports suspicious activity originating from Reykjavik, Iceland, associated with the IP address 53.253.117.8 This attack is particularly dangerous because of its exploitation of OAuth authentication protocols.
When unsuspecting developers click on the provided links to supposedly secure their accounts, they’re directed to authorize a malicious OAuth application named “gitsecurityapp”. This rogue application requests an extensive set of permissions, including:
- repo: Full access to public and private repositories
- user: Read/write access to user profile data
- read:org: Access to organization membership information
- gist: Access to GitHub gists
- delete_repo: Permission to delete repositories
- workflows: Control over GitHub Actions workflows
Once granted, these permissions allow attackers to exfiltrate sensitive code, modify repositories, or even delete entire projects.
The campaign began on March 16, 2025, and remains active. The irregular number of targeted repositories suggests that GitHub is working to mitigate the attack.
While definitive attribution remains challenging, some security experts have suggested potential links to North Korean (DPRK) state-sponsored threat actors.
“Smells DPKR?” noted researcher Luc4m when discussing the possible origins of the attack.
Protective Measures
GitHub users who may have interacted with these fake security alerts should take immediate action to protect their accounts and code:
- Revoke access to any suspicious OAuth applications through GitHub Settings > Applications
- Look specifically for applications named similar to “gitsecurityapp”
- Change account passwords and rotate any authorization tokens
- Review repositories for unexpected modifications or newly created GitHub Actions workflows
As phishing techniques continue to advance, maintaining vigilance and implementing robust security practices like two-factor authentication becomes increasingly critical for developers protecting their code and credentials.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Beware of Fake GitHub “Security Alerts” Let Hackers Hijack Your Account Login Credentials appeared first on Cyber Security News.
