A new phishing campaign is using GitHub’s own notification system to trick developers into giving up credentials.
According to Cyber Security News, security researchers have discovered a phishing campaign that abuses GitHub’s legitimate email notification system to distribute malicious payloads. The campaign impersonates real repository alerts, commit messages, and collaborator activity, successfully evading many email security filters by maintaining valid DKIM and SPF records. Developers and IT professionals have already reported a spike in password resets and unauthorized repository activity.
The phishing emails closely mimic authentic GitHub notifications but include subtle changes, such as modified sender headers and obfuscated redirect links. The attack chain begins when users click these links, which pass through a series of URL shorteners before landing on a phishing page designed to harvest credentials.
The phishing mechanism hinges on compromised or malicious GitHub Apps with overly broad webhook permissions. These apps subscribe to push events from popular repositories. Once subscribed, attackers use the webhook secret to intercept and modify notification payloads, inserting malicious HTML forms into the email content. The modified payload appears as a legitimate notification, with embedded forms that submit user credentials to attacker-controlled servers via JavaScript.
The injected form HTML points to an external collection URL, and the attackers use AJAX to send the stolen credentials instantly. This process allows attackers to access private repositories, escalate privileges, and potentially spread additional malware.
Researchers traced the source of the malware variant to an exploit targeting GitHub’s webhook infrastructure. The group released a sample payload and documented the end-to-end process of how attackers hijack webhook data to embed phishing forms. They stressed the need for tighter controls around webhook access and app permissions.
Initial discovery reports came from open-source project maintainers who noticed suspicious account activity, including unauthorized forks and login attempts.
The GitHub campaign shows how attackers can weaponize trusted platforms against their own users. Because the phishing emails come straight from GitHub’s notification system and pass SPF and DKIM checks, they slip past most filters and look legitimate to developers. Misused webhooks and over-permissive apps give attackers a way to inject malicious forms directly into what appear to be normal repository alerts.
Paubox recommends Inbound Email Security to address this gap. Its generative AI reviews the context, tone, and relationship history of incoming messages to flag communication that doesn’t fit normal patterns, even when the source looks authentic. Suspicious notifications are blocked before reaching inboxes, helping organizations protect developers and code repositories from compromise.
GitHub Apps are integrations that can access and interact with repositories. If an app is granted overly broad permissions or is compromised, it can be used to subscribe to events and manipulate webhook notifications for malicious purposes.
They pass SPF and DKIM validation because the attackers use GitHub’s legitimate notification system, exploiting configuration gaps in third-party GitHub Apps without altering core email authentication headers.
Webhook secrets are shared tokens used to verify the integrity of event payloads. If an attacker gains access to a secret, they can tamper with webhook data and inject malicious content without detection.
Developers should review and limit third-party app permissions, validate webhook destinations, and monitor unusual event subscriptions or outbound email content.
No. While open-source maintainers reported the initial signs, any GitHub repository, public or private, using vulnerable Apps or webhook setups could be at risk.