Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
GitHub Phishing Campaign making use of OAuth and render.com hosted site
8 points by PaoloBarbolini 6 months ago | hide | past | favorite | 7 comments
A phishing campaign has been ongoing in the last 4 hours, opening more than 11.5k issues containing the wording "We have detected a login attempt on your GitHub account that appears to be from a new location or device." and links to a render.com hosted site.

Do not click any of the links!

Every once in a while this seems to reoccur, and I realize how slow GitHub is at deleting the spam issues or comments. Why doesn't GitHub fix this?



I recognize that anti-abuse is a neverending cat and mouse game, and hindsight is 20/20, but it seems like malicious activity like this should be easily detected - how often does a legitimate account suddenly post 300 issues across many different repos?

Part of the challenge may be the moderation effort with false positives if you make detection more sensitive, but it seems like some investment in a pending/flagged activity section with approval delegated to repo owners could work well?

In a past life, one of the more effective anti-abuse mechanisms was intentionally introducing latency between attempt and confirmation, on the order of a week. If every time you try to see if you've evaded detection takes a week to confirm, you can't iterate on abuse nearly as quickly and are more likely to give up and move onto other targets. Obviously the amount of acceptable latency you can introduce will depend on the system/product...


Before this event, I've has another encounter with GitHub. What happened is that an AI coding assistance startup seemed to have created bots that would:

1. find new GitHub issues on random repos

2. fork the repo

3. make a commit, trying to implement whatever was requested in the issue

4. reply to the issue with a link to the commit, indemnifying themselves of the code quality (which was very poor), and linking to their platform

I reported a few of those issues to GitHub. To me, the problem seemed almost obvious:

1. they were using sketchy GitHub usernames

2. there was evidence of similar replies having been mass-deleted in the past

3. some of the issues also seemed to have been opened by sketchy users

GitHub took a few days to reply and didn't seem to understand how bad the situation was, and basically allowed them to continue. I don't expect to have to spend a lot of time writing an elaborate "criminal case" to convince GitHub that they are allowing their platform to be abused by these bots.


I'm also finding that this has happened already in the past and GitHub didn't cleanup the spam entirely, like: https://github.com/Xyntax/1000php/issues/1#issuecomment-2318...


Link to search results: https://github.com/search?q=%22We+have+detected+a+login+atte...


I work at Render. We've removed the phishing website from the platform.


Amazing work! This is the first time I've seen this kind of issue fixed so quickly.

GitHub should learn from this.


11.5k in 4h and GitHub does nothing??

That's truly a HUGE red flag there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: