In recent weeks, security researchers have uncovered an elaborate phishing campaign that leverages legitimate GitHub notification mechanisms to deliver malicious content.
Victims receive seemingly authentic repository alerts, complete with real-looking commit messages and collaborator updates. Upon closer inspection, the notification headers reveal altered sender addresses and obfuscated links.
The campaign’s sophistication has allowed it to slip past many email gateways, leading to a surge in compromised credentials among developers and IT staff.
Initial reports emerged when multiple open-source maintainers reported unexpected password resets and unauthorized repository forks. H4x0r.DZ identified the malware variant responsible for intercepting GitHub webhook notifications and appending phishing payloads.
Unlike typical phishing emails, these messages maintain valid DKIM and SPF records by exploiting misconfigurations in third-party GitHub Apps.
Recipients clicking the embedded link are redirected through a chain of URL shorteners before landing on a credential-harvesting page.
Analysis of the phishing emails shows that the malware injects custom HTML forms into the GitHub notification template.
.webp "Hackers Abusing GitHub Notifications to Deliver Phishing Emails 3")
The form’s action attribute points to a URL under the attacker’s control, while JavaScript code captures the entered credentials and relays them via an AJAX POST request.
Infection Mechanism via Webhook Manipulation
The core infection vector hinges on compromised GitHub Apps with overly broad webhook permissions.
Attackers first identify popular repositories that allow external Apps to subscribe to push events.
By registering a malicious App under a plausible name, they gain event subscriptions and acquire a webhook secret.
The attacker’s server validates incoming JSON payloads using the secret, then modifies the “pusher” field to insert malicious HTML before forwarding the notification to GitHub’s email service.
A simplified version of the injection logic appears below:-
function modifyPayload(payload) {
let template = payload. Body;
const phishingForm = ``;
payload. Body = template.replace('Source link
