An unknown user going by the handle “Gitloker” is grabbing and wiping clean repositories on GitHub in an apparent effort to extort victims.

The campaign, which a researcher at Chilean cybersecurity firm CronUp highlighted in a message on social platform X this week, appears to have been ongoing since at least February 2024.  Posts on GitHub community forums suggest that several GitHub users have run into the issue over the past few months, although the actual number remains unknown.

GitHub did not respond immediately to Dark Reading about whether the company is aware of the threat or on what advice it might have for GitHub users.

According to CronUp researcher German Fernandez, the attackers appear to be exploiting a GitHub commenting and notification feature. “With the above, they manage to deliver phishing emails through the legitimate “notifications@github dot com,” Fernandez wrote in his X post. “In addition, the sender’s name can be manipulated by renaming the attacker’s GitHub account.” He identified the attackers as using two domains in the campaign: “githubcareers dot online” and “githubtalentcommunity dot online.”

Multiple Incidents

On Feb. 22, GitHub user CodeLife234 reported an issue involving a friend’s account that had been hacked and was subsequently flagged. That compromise apparently occurred after the victim clicked on a link that turned out to be a spam email recruiting for a GitHub developer job.

The victim described the attacker as having created and pushed two repos to his account and leaving an extortion note as well. “This is an urgent notice to inform you that your data has been compromised, and we have secured a backup,” the message posted on Telegram’s anonymous blogging platform Telegraph said. “Currently, we are requesting a symbolic amount of $US1,000 to prevent the exposure of your files. It is crucial that everyone takes immediate action within the next 24 hours to avoid any data leaks.”

The victim also described the attacker as deleting some repositories and said his accounts and projects were no longer publicly visible.

In comments responding to that post, another GitHub user with the handle “Mindgames” reported receiving an identical email purportedly for a GitHub developer job. The email, from notifications@github dot com, portrayed the job with a $180,000 salary and several attractive benefits. It urged the recipient to click on an embedded link to fill out additional information in the application process.

Yet another GitHub user reported receiving both a fake recruiting email and a fake security alert via the GitHub notification system in the last few months. A screenshot of the security alert showed the email as appearing to be signed by the “GitHub Security Team” and informing the recipient of their account apparently having been compromised.

“It appears that unauthorized access has been gained to our servers, potentially compromising user data and the integrity of our platform,” the email said. It sought the recipient’s immediate assistance in addressing the issue by clicking on a link that would purportedly authorize GitHub’s security team to take necessary remedial action. Both the job and the security-related emails directed the user to https://githubcareer dot online/.

“These emails prompt users to authenticate on GitHub, and if no action is taken after a brief interval, the page automatically redirects to an OAuth2 authentication page with [specific] query parameters,” the user said.

Extortion via Data Theft

Not all of the GitHub extortion incidents appear the same, however.

Fernandez earlier this week posted a screenshot on his X account of an April 11 extortion note that Gitloker had left for someone who appeared to be associated with the GitHub repository of a B2C company. The note – from an individual identifying themselves as a cyber incident analyst – informed the recipient that the Gitloker “team” had found confidential information within the repository that would be damaging to the company if publicly released.

“We are willing to refrain from disclosing this information publicly in exchange for a payment of $250,000 USD,” the attacker wrote. The note assured the victim about the continued confidentiality of the data if payment was received.

A GitHub spokesperson tells Dark Reading that the company investigates all reports of abusive or suspicious activity on its platform and takes action when merited. “We also encourage customers and community members to report abuse and spam,” according to the spokesperson.

GitHub has recommended several measures for users who believe their GitHub account has been compromised: Review active GitHub sessions, review personal access tokens, change GitHub password, and reset two-factor recovery codes.

Review authorized OAuth apps and do not click any links or reply to unsolicited messages from any source asking to authorize an OAuth app. Authorizing an OAuth app can expose a user’s GitHub account and data to a third party,” according to GitHub.

Source: www.darkreading.com