A large-scale phishing campaign has compromised nearly 12,000 GitHub repositories by deceiving developers with fake "Security Alert" issues, according to BleepingComputer.
The fraudulent messages falsely warn users of unauthorized access from Reykjavik, Iceland, and urge them to take security actions such as updating their passwords and enabling two-factor authentication.
However, all links within the message have been found to redirect victims to a GitHub authorization page for a malicious OAuth application called "gitsecurityapp." If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.
The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.
Compromised users are advised to immediately revoke the OAuth app’s access from GitHub’s settings, check for unauthorized GitHub Actions or gists, and rotate credentials to prevent further breaches. GitHub has not yet released a statement regarding the issue.
