1. Forum
  2. FidoNet
  3. CONSPRCY

  • Fake GitHub "securiity al

    From Mike Powell@1:2320/105 to All on Tue Mar 18 09:49:00 2025
    These fake GitHub "security alerts" could actually let hackers hijack your account

    Date:
    Tue, 18 Mar 2025 13:27:00 +0000

    Description:
    More than 12,000 GitHub users were targeted so far.

    FULL STORY

    Cybercriminals are faking security alerts on GitHub to get unsuspecting users to install malicious applications and lose their work, experts have warned.

    A security researcher alias LC4M discovered the campaign and shared a
    detailed explanation in a short X thread, noting the attackers created a
    GitHub account called GitHub Notification, and then opened an issue to a well known security repo stating Security Alert: Unusual Access Attempt.

    We have detected a login attempt on your GitHub account that appears to be
    from a new location or device, the fake alert reads. If you recognize this activity, no further action is required. However, if this was not you, we strongly recommend securing your account immediately.

    OAuth app

    The alert states the login attempt came from Reykjavik, Iceland, and shares links where users can update their password, review and manage active
    sessions, and even enable two-factor authentication (2FA).

    However, all of the links lead to a GitHub authorization page for an OAuth
    app called gitsecurityapp. This app requests numerous permissions, including those that grant full access to public and private repositories, the ability
    to read and write to the user profile, access to GitHub gists, the permission to delete repositories, and more.

    The researcher updated his thread to say that at least 8,000 GitHub repositories were targeted. However, a BleepingComputer report puts the
    number of targets at 12,000.

    If you were targeted by this campaign, and ended up granting the permissions, you should revoke the access as soon as possible, and after that - rotate
    your credentials and authentication tokens just to be on the safe side.

    LC4M could not confidently attribute the campaign to any known threat actor, but they do have their suspicions: Smells DPKR? they said, suggesting that
    this might be the work of North Korean state-sponsored threat actors.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/these-fake-github-security-alerts-could -actually-let-hackers-hijack-your-account

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)