Cybercriminals have orchestrated a sophisticated phishing campaign exploiting GitHub’s notification system to impersonate the prestigious startup accelerator Y Combinator, targeting developers’ cryptocurrency wallets through fake funding opportunity notifications.
The attack leverages GitHub’s issue tracking system to mass-distribute phishing notifications, bypassing traditional email security filters by using the platform’s legitimate notification infrastructure.
Threat actors created multiple GitHub accounts with names closely resembling Y Combinator, including ycombinato, ycommbbinator, and ycoommbinator, along with a malicious GitHub application called ycombinatornotify.
Y Combinator Phishing Scam
The attackers demonstrated a sophisticated understanding of GitHub’s API limitations and notification mechanisms.
Each malicious repository generated approximately 500 issues before hitting GitHub’s rate-limiting thresholds, with each issue containing phishing content and tagging numerous random GitHub usernames to maximize notification distribution.
The notifications appeared authentic since they originated from GitHub’s official notification system, making them difficult for users to identify as fraudulent immediately.
The phishing messages claimed recipients had been “selected for funding” and required wallet verification or authorization deposits to access supposed Y Combinator investment opportunities.
This social engineering technique targets explicitly the developer community’s familiarity with Y Combinator’s legitimate application process, exploiting the prestige and desirability associated with acceptance into the accelerator program.
The operation employed typosquatting techniques, registering the domain y-comblnator.com (substituting an “L” for the “I” in “combinator”) to create a convincing replica of Y Combinator’s legitimate website.
This domain hosted fake application pages designed to harvest cryptocurrency wallet credentials and private keys from unsuspecting victims.
GitHub’s security team responded by suspending the malicious accounts and repositories, but the attack’s distributed nature across multiple accounts created persistence challenges.
Affected users reported staying notification badges that required manual API calls to clear, using commands like curl -X PATCH with authentication tokens to mark phantom notifications as read.
The incident highlights the vulnerability of collaborative development platforms to abuse, where legitimate notification systems can be weaponized for large-scale phishing campaigns targeting the cryptocurrency assets of technical professionals who represent high-value targets due to their likely digital asset holdings.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
