A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories with phony security alerts, reported BleepingComputers.

The alerts, opened as issues on the repositories, inform users of unauthorized login attempts and provide links to change their passwords, review active sessions, or set up MFA.

If a user clicks any of these links, they’ll be taken to a GitHub authorization page for an OAuth app that will grant the attacker control of the account.

The campaign is ongoing, though GitHub appears to be responding to the attacks.

Users were directed to all links within the message to a GitHub authorization page for a malicious OAuth application called “gitsecurityapp.” If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.

This consistent messaging across all affected repositories aims to create a sense of urgency and panic, prompting developers to take immediate action.

The fraudulent alert directs users to update their passwords, review active sessions, and enable two-factor authentication. However, these links lead to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp.”

Upon authorization, an access token is generated and sent to various web pages hosted on onrender.com, granting the attacker full control.

(Image courtesy: Bleeping Computers)

The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.

Pointers Developers to take key inputs from this incident.

Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories.

If those logs had been public, then the attacker would have been able to steal the secrets.

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes as per threat researchers.

Key pointers for User saftey:

• For users who have mistakenly authorized the malicious OAuth app revoking access to suspicious OAuth apps through GitHub’s settings.
• Affected users should review their repository workflows, check for unauthorized private gists, and rotate their credentials to prevent further damage.
• This attack highlights the increasing threat of phishing campaigns targeting GitHub users.
• As GitHub continues to investigate and respond, developers must remain vigilant and verify any security alerts before taking action.
• Rotate your credentials and authorization tokens.

 Wiz suggests that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories.

If double-encoded base64 payloads are found in workflow logs, this should be taken as a confirmation their secrets were leaked.

Developers should immediately remove all references to affected actions across branches, delete workflow logs, and rotate any potentially exposed secrets.

(Sourece: Bleeping computers)