A large-scale phishing attack has targeted nearly 12,000 GitHub repositories, using fake “Security Alert” issues to trick developers into authorizing a malicious OAuth app. This deceptive campaign grants attackers full control over users’ GitHub accounts and repositories.
The phishing alert, titled “Security Alert: Unusual Access Attempt,” falsely claims that a suspicious login attempt was detected from Reykjavik, Iceland (IP: 53.253.117.8). The message urges users to:
- Update their password
- Review and manage active sessions
- Enable two-factor authentication
However, clicking on any of these links directs users to a GitHub authorization page for a fraudulent OAuth app called “gitsecurityapp.” Once authorized, this app requests dangerous permissions, allowing attackers full access to the victim’s GitHub account.
Malicious OAuth App Permissions
The “gitsecurityapp” OAuth app requests extensive privileges, including:
- repo – Full access to public and private repositories
- user – Read and write access to user profiles
- read:org – View organization membership and projects
- discussion (read/write) – Access to GitHub Discussions
- gist – Ability to read and write GitHub Gists
- delete_repo – Permission to delete repositories
- workflow controls – Modify and execute GitHub Actions workflows
Once a GitHub user logs in and grants permission, an OAuth access token is generated and sent to the attacker’s callback page, which in this case is hosted on Render.com (onrender.com).
This phishing campaign began at 6:52 AM ET and remains active, with nearly 12,000 repositories targeted. The fluctuating number of affected repositories suggests that GitHub is actively mitigating the attack.
What to Do If You Are Among Affected GitHub Users
If you accidentally authorized the malicious OAuth app, take the following immediate security actions:
- Revoke OAuth App Access
- Go to GitHub Settings → Applications → Review GitHub and OAuth Apps
- Revoke access to any suspicious apps, particularly those named “gitsecurityapp.”
- Inspect Your Repository and Actions
- Check for unauthorized GitHub Actions (Workflows)
- Look for any new or unexpected private Gists
- Rotate Your Credentials
- Reset passwords, authorization tokens, and SSH keys
By taking these proactive steps, developers can mitigate unauthorized access, prevent repository tampering, and secure their GitHub environments from further compromise.
