A recent wave of sophisticated phishing attacks has targeted developers and startups by impersonating Y Combinator through GitHub notifications.
Victims are being tricked into believing they’ve been selected for startup funding, only to face financial theft via fake verification schemes.
This incident spotlights the new tactics phishers use to exploit trusted online platforms and reputable organizations.
The Attack Unfolds: Mass Issue Tagging and Phony Apps
Attackers registered multiple GitHub accounts and repository names closely resembling “Y Combinator,” such as “ycombinato,” “ycombbinator,” “yccombinator,” and variations with deliberate typos and hyphens.
These accounts created hundreds of GitHub issues per minute, each tagging numerous random users.
The notifications were designed to look like official Y Combinator communications, often mentioning a supposed selection for funding or an authorization process.
Victims received emails and GitHub notifications, sometimes with follow-ups asking users to “verify their wallets” or deposit funds for the next steps.
Attackers also deployed Github Apps, such as “ycombinatornotify” and “mail-notifaction-automatic,” to increase the perceived legitimacy of the messages.
The scheme leveraged both GitHub’s notification system and emails, using automated scripts until the repositories were reported and deleted or rate-limited by GitHub.
Fake Domains and Wallet Phishing
Many victims reported being redirected from these GitHub notifications to phishing domains like “y-comblnator.com” and similar lookalikes.
These pages mirrored Y Combinator branding but were designed to collect wallet credentials or request crypto deposits, tricking users with promises of startup funding.
Users noticed these domains were typo-squatted, usually substituting letters and adding hyphens to evade detection.
Some reports indicated ongoing suspicious activity even after initial spam repositories were removed, with further notifications from newly created accounts and repositories.
The attackers constantly adapted their approach, launching new campaigns before previous ones were taken down.
The news quickly spread on Hacker News and GitHub forums, with users sharing warnings and mitigation tips.
Many tagged the official Y Combinator security team at “[email protected]” and used GitHub’s abuse reporting system, though some noted issues with the reporting functionality.
Affected individuals also submitted the fraudulent domains to browser and search engine phishing protection lists.
To remove notification spam lingering in GitHub, users leveraged API workarounds, as the UI did not display these messages properly.
GitHub has since responded by deleting scam repositories and user accounts, but phishing notifications and fake domains may persist.
This phishing campaign highlights how cybercriminals increasingly exploit trusted service notifications and mimic reputable brands to bypass normal user skepticism.
Developers and startup founders are urged to stay cautious, verify communications with organizations directly, and report suspicious activity swiftly.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Source link
