GitHub Phishing Campaign Employs Security Alert Lure to Install Malicious OAuth Application

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A sophisticated phishing campaign has targeted nearly 12,000 GitHub repositories, leveraging fake "Security Alert" issues to trick developers into authorizing a malicious OAuth application, granting attackers full control over accounts and source code.

This scam exploits developers’ trust by issuing warnings of “unusual account activity” from Reykjavik, Iceland, accompanied by an IP address (53.253.117.8). 

The alerts claim the affected users’ accounts have been breached, urging them to update credentials, review active sessions, and enable two-factor authentication.

Fake "Security Alert" issue posted to GitHub repositories | Source: BleepingComputer

Clicking the provided links directs users not to GitHub-secured settings but to an authorization page for a deceptive OAuth app dubbed "gitsecurityapp." 

Permissions requested by malicious OAuth app | Source: BleepingComputer

Upon authorization, the attackers gain access to an alarming range of privileges, including:

The campaign was first identified by cybersecurity researcher Luc4m and began at approximately 6:52 AM ET on March 16, 2025. 

GitHub appears to be responding to the situation, as reports indicate fluctuations in targeted repositories. However, the phishing operation remains active and ongoing.

Individuals who accidentally authorized the malicious application are advised to take immediate action and revoke its access via GitHub Settings → Applications (remove unfamiliar or suspicious OAuth apps, particularly those resembling “gitsecurityapp”).

Victims of this attack can also check their GitHub Actions workflows for unexpected or malicious modifications and look for any newly created private gists that could harbor malicious intent.

Of course, refreshing all compromised tokens and credentials to secure account access is also essential moving forward.

GitHub was exploited by threat actors throughout the last months for malicious ad campaigns or distributing malware such as Lumma Stealer, Vidar Stealer, SectopRAT, and Cobeacon.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: