These fake GitHub "security alerts" could actually let hackers hijack your account

News
By published

Hackers are trying to trick GitHub users into granting extensive permissions

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Security researchers spot new phishing campaign targeting GitHub users
  • A fake "security alert" GitHub account was notifying users of suspicious logins
  • The links in the notification all point to a shady app

Cybercriminals are faking security alerts on GitHub to get unsuspecting users to install malicious applications and lose their work, experts have warned.

A security researcher alias “LC4M” discovered the campaign and shared a detailed explanation in a short X thread, noting the attackers created a GitHub account called “GitHub Notification”, and then opened an issue to a “well known security repo” stating “Security Alert: Unusual Access Attempt”.

“We have detected a login attempt on your GitHub account that appears to be from a new location or device,” the fake alert reads. “If you recognize this activity, no further action is required. However, if this was not you, we strongly recommend securing your account immediately.”

OAuth app

The alert states the login attempt came from Reykjavik, Iceland, and shares links where users can update their password, review and manage active sessions, and even enable two-factor authentication (2FA).

However, all of the links lead to a GitHub authorization page for an OAuth app called “gitsecurityapp”. This app requests numerous permissions, including those that grant full access to public and private repositories, the ability to read and write to the user profile, access to GitHub gists, the permission to delete repositories, and more.

The researcher updated his thread to say that at least 8,000 GitHub repositories were targeted. However, a BleepingComputer report puts the number of targets at 12,000.

If you were targeted by this campaign, and ended up granting the permissions, you should revoke the access as soon as possible, and after that - rotate your credentials and authentication tokens just to be on the safe side.

LC4M could not confidently attribute the campaign to any known threat actor, but they do have their suspicions: “Smells DPKR?” they said, suggesting that this might be the work of North Korean state-sponsored threat actors.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
Latest in Security
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
3d rendering of a submarine power cable on the seabed
Subsea internet cables can now ‘listen’ for sabotage using irregular pulses of light
Dark Web monitoring
A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Latest in News
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Garmin Instinct 3
A new Garmin study hints at the link between burning calories and happiness, and I've got good and bad news
A woman sitting in a chair looking at a Windows 11 laptop
Microsoft is supercharging Windows 11’s voice commands on Copilot+ PCs with Snapdragon CPUs, and fine-tuning a few Recall features
MacBook Air M4
Apple's rumored foldable iPad tipped to launch sooner than expected with an exciting software twist
A phone displaying the Google Messages logo
Google Messages could finally be getting this WhatsApp-style group chat feature
More about security
Dark Web monitoring

A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
NordProtect logo

Standalone identity theft protection from Nord Security is now available
Family at a picnic table with Amazon packaging on the table and a fire kids tablet

Amazon announces its Big Spring Sale – get up to 40% off and shop early deals now
See more latest
Most Popular
MOZA sim accessories
The cutting-edge controllers that'll make your sim feel incredibly real
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
AMD RX 9070 GPU models
We won't be seeing any Radeon RX 9000 series GPUs from MSI - AMD prioritizes other board partners instead
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
Verdansk returns to Warzone in a matter of weeks and I’m dreaming of the return of two iconic weapons - here’s what you need to know about its release date and what to expect
The Ryzen AI Max+ 395 could power the latest generation of powerful mini PCs
The AMD Ryzen AI Max+ 395 dominates as the "most powerful" APU on the market, but its competition is questionable
Garmin Instinct 3
A new Garmin study hints at the link between burning calories and happiness, and I've got good and bad news
Roku TV on wall in living room setting
Roku tests showing ads before you even reach the home screen, and it's infuriating users
Dark Web monitoring
A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
A phone displaying the Google Messages logo
Google Messages could finally be getting this WhatsApp-style group chat feature