{"id":2358,"date":"2025-03-17T11:20:30","date_gmt":"2025-03-17T11:20:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2358"},"modified":"2025-03-17T11:20:30","modified_gmt":"2025-03-17T11:20:30","slug":"github-accounts-targeted-with-fake-security-alerts","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2358","title":{"rendered":"GitHub accounts targeted with fake security alerts"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a new phishing campaign, GitHub developers are being targeted with fake \u201cSecurity Alerts\u201d where they are prompted to authorize a malicious OAuth application.<\/p>\n<p>Successful execution of the Click-fix campaign, which has reportedly targeted over 12,000 GitHub repositories, can allow attackers full control over the affected accounts and codes.<\/p>\n<p>Cybersecurity researcher Luc4m first reported the fake alerts through an <a href=\"https:\/\/x.com\/luc4m\/status\/1901271981615448094\">X post<\/a> on Sunday morning, adding that the campaign made almost \u201c4k attempts in a few minutes\u201d.<\/p>\n<p>\u201cSecurity Alert: Unusual Access Attempt,\u201d the fake alert reads, Luc4m said. \u201cWe have detected a login attempt on your GitHub account that appears to be from a new location or device.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Users are prompted to update passwords, 2FA<\/h2>\n<p>The alert offered a number of steps to secure their accounts against unauthorized activity. \u201cIf you recognize this activity, no further action is required. However, if this was not you, we strongly recommend securing your account immediately,\u201d it reads.<\/p>\n<p>The recommended actions include updating one\u2019s password, reviewing and managing active sessions, and enabling two-factor authentication (2FA).<\/p>\n<p>All these options, however, came with links that led to a GitHub authorization page for the <a href=\"https:\/\/x.com\/luc4m\/status\/1901310423330083237\/photo\/1\">\u201cgitsecurityapp\u201d<\/a> OAuth app. The authorization page includes a list of risky permissions including access to and deleting public and private repositories, read or write user profiles, read organization membership and projects, and access to GitHub gists.<\/p>\n<p>Cybersecurity news website BleepingComputer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts\/\">reported<\/a> that close to 12000 repositories were targeted until early Monday morning.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Possible DPRK links<\/h2>\n<p>Luc4m\u2019s X post hinted at possible nation-state connections, adding, \u201cSmells #DPRK?\u201d While nothing else was said on the X thread, North Korea is known for using click-fix attacks for its cyber espionage activities, with <a href=\"https:\/\/www.csoonline.com\/article\/3817394\/macos-ferret-operators-add-a-deceptive-bite-to-their-malware-family.html\">Contagious Interviews<\/a> being a prominent one of those campaigns.<\/p>\n<p>All GitHub fake alerts included the same login information \u2014 location: Reykjavik, Iceland, IP Address: 53.253.117.8, and Device: Unrecognized. For protection, Luc4m, shared a couple of indicators of compromise (IoCs) \u2014 GitHub account: hishamaboshami, and App ID: Ov23liQMsIZN6BD8RTZZ. The X thread also added that the fake \u201csecurity app\u201d was deployed using render, a cloud for hosting web applications, at s:\/\/github-com-auth-secure-access-token.onrender.com.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a new phishing campaign, GitHub developers are being targeted with fake \u201cSecurity Alerts\u201d where they are prompted to authorize a malicious OAuth application. Successful execution of the Click-fix campaign, which has reportedly targeted over 12,000 GitHub repositories, can allow attackers full control over the affected accounts and codes. Cybersecurity researcher Luc4m first reported the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2359,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2358"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2358"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2358\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2359"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}