Thousands of GitHub developers are under siege in a new phishing assault. The attack, which began March 16, 2025, has already targeted nearly 12,000 repositories with fake security alerts. It’s a clever scheme, really. Hackers create bogus “Security Alert” issues warning users about suspicious login attempts supposedly from Iceland. Classic fear tactics.
These phony alerts pressure developers to “update passwords” or “enable 2FA” through provided links. Click one, and you’re redirected to what looks like a legitimate GitHub authorization page. But surprise! It’s actually asking you to grant permissions to a malicious OAuth app deceptively named “gitsecurityapp.” Because nothing says trustworthy like adding the word “security” to your malware.
The permissions requested are downright terrifying. Full access to private repositories, ability to delete repos, control over GitHub Actions workflows, and access to personal profile data. Hand over those keys, and attackers fundamentally become you on GitHub. They can read your code, steal your secrets, and wreak havoc on your digital life.
The attack infrastructure isn’t amateur hour, either. The operation uses onrender.com hosting with seven layers of obfuscation in its payload. Once authorized, the malware steals browser passwords, cookies, and other confidential data before sending everything back to command servers. Implementing a CTEM approach could significantly reduce vulnerability to such sophisticated phishing campaigns. Similar attacks have previously used fraudulent career offers with unusually high salaries to lure unsuspecting developers. Experts recommend implementing two-factor authentication (2FA) as a critical defense against such sophisticated phishing attempts.
Victims are often unaware they’ve been compromised until strange things start happening. Unexpected GitHub Actions running? Private gists appearing out of nowhere? That’s your sign. By then, it’s already too late.
The campaign is ongoing, with the number of targeted repositories fluctuating as GitHub works to contain the damage. Meanwhile, attackers continue gathering credentials and sensitive information from unsuspecting developers.
Software developers should be vigilant. Those OAuth permission screens aren’t just annoying pop-ups – they’re literal access requests to your digital kingdom. And in this case, saying “yes” means handing over the keys to people who definitely don’t have your best interests at heart.
