A widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake "Security Alert" issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code. However, all of the links for these recommended actions lead to a GitHub authorization page for a "gitsecurityapp" OAuth app that requests a lot of very risky permissions (scopes) and would allow an attacker full access to a user's account and repositories. If you were impacted by this phishing attack and mistakenly gave authorization to the malicious OAuth app, you should immediately revoke its access by going into the GitHub Settings and then Applications. If a GitHub user logs in and authorizes the malicious OAuth app, an access token will generated and sent back to the app's callback address, which in this campaign has been various web pages hosted on onrender.com (Render). Cybersecurity researcher Luc4m first spotted the fake security alert, which warned GitHub users that their account was breached and that they should update their password, review and manage active sessions, and enable two-factor authentication to secure their accounts. "Security Alert: Unusual Access Attempt We have detected a login attempt on your GitHub account that appears to be from a new location or device," reads the GitHub phishing issue. All of the GitHub phishing issues contain the same text, warning users that their was unusual activity on their account from Reykjavik, Iceland, and the 53.253.117.8 IP address. From the Applications screen, revoke access to any GitHub Apps or OAuth apps that are unfamiliar or suspicious.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 16 Mar 2025 18:40:23 +0000