In a new phishing campaign, GitHub developers are being targeted with fake “Security Alerts” where they are prompted to authorize a malicious OAuth application.
Successful execution of the Click-fix campaign, which has reportedly targeted over 12,000 GitHub repositories, can allow attackers full control over the affected accounts and codes.
Cybersecurity researcher Luc4m first reported the fake alerts through an X post on Sunday morning, adding that the campaign made almost “4k attempts in a few minutes”.
“Security Alert: Unusual Access Attempt,” the fake alert reads, Luc4m said. “We have detected a login attempt on your GitHub account that appears to be from a new location or device.”
Users are prompted to update passwords, 2FA
The alert offered a number of steps to secure their accounts against unauthorized activity. “If you recognize this activity, no further action is required. However, if this was not you, we strongly recommend securing your account immediately,” it reads.
The recommended actions include updating one’s password, reviewing and managing active sessions, and enabling two-factor authentication (2FA).
All these options, however, came with links that led to a GitHub authorization page for the “gitsecurityapp” OAuth app. The authorization page includes a list of risky permissions including access to and deleting public and private repositories, read or write user profiles, read organization membership and projects, and access to GitHub gists.
Cybersecurity news website BleepingComputer reported that close to 12000 repositories were targeted until early Monday morning.
Possible DPRK links
Luc4m’s X post hinted at possible nation-state connections, adding, “Smells #DPRK?” While nothing else was said on the X thread, North Korea is known for using click-fix attacks for its cyber espionage activities, with Contagious Interviews being a prominent one of those campaigns.
All GitHub fake alerts included the same login information — location: Reykjavik, Iceland, IP Address: 53.253.117.8, and Device: Unrecognized. For protection, Luc4m, shared a couple of indicators of compromise (IoCs) — GitHub account: hishamaboshami, and App ID: Ov23liQMsIZN6BD8RTZZ. The X thread also added that the fake “security app” was deployed using render, a cloud for hosting web applications, at s://github-com-auth-secure-access-token.onrender.com.