New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens

New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens

Cybersecurity researchers have identified a sophisticated new phishing campaign that exploits GitHub’s OAuth2 device authorization flow to compromise developer accounts and steal authentication tokens.

This emerging threat represents a significant evolution in social engineering tactics, leveraging legitimate GitHub functionality to bypass traditional security measures and gain unauthorized access to source code repositories, CI/CD pipelines, and sensitive intellectual property.

The attack technique mirrors established Azure Active Directory device code phishing methods that have plagued enterprise environments for years, but now targets the developer ecosystem through GitHub’s platform.

Google News

Unlike conventional phishing approaches that rely on fraudulent websites or malicious links, these attacks abuse GitHub’s native device code authentication process, making them particularly difficult to detect and block using standard security controls.

Following recent high-profile supply chain attacks including the tj-actions incident, Praetorian analysts noted that GitHub access has become increasingly valuable to threat actors seeking to compromise software development pipelines.

The researchers identified that these device code phishing attacks have achieved success rates exceeding 90% when conducted via phone calls to developers, demonstrating the technique’s effectiveness against even security-conscious targets.

New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens
GitHub Device Code Authentication flow (Source – Praetorian)

The impact of successful attacks extends far beyond individual account compromises.

Once attackers obtain GitHub OAuth tokens with appropriate scopes, they can exfiltrate proprietary source code, access GitHub Actions secrets for lateral movement, execute malicious code on self-hosted runners, and potentially backdoor critical repositories to launch supply chain attacks affecting thousands of downstream users.

New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens
The initial device code page (Source – Praetorian)

The centralization of development infrastructure around GitHub has made these attacks particularly attractive to threat actors seeking maximum impact from minimal effort.

Attack Mechanism

The GitHub device code phishing process follows a methodical five-step approach that exploits the inherent trust model of OAuth2 device authorization.

The attack begins when threat actors generate device codes through GitHub’s OAuth API, typically requesting broad permissions including user, repository, and workflow scopes.

The following code snippet demonstrates the initial request:-

curl -X POST https://github.com/login/device/code 
  -H "Accept: application/json" 
  -d "client_id=01ab8ac9400c4e429b23&scope=user+repo+workflow"
New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens
Authentication broker (Source – Praetorian)

Attackers often utilize legitimate client IDs such as Visual Studio Code’s identifier (01ab8ac9400c4e429b23) to reduce user suspicion during the authorization process.

The server response includes a device code for token retrieval, a six-digit user code, the verification URL (https://github.com/login/device), and a 15-minute expiration window.

The social engineering phase involves convincing developers to navigate to the verification URL and enter the provided code.

Praetorian researchers have documented various successful pretexts, including impersonating helpdesk personnel claiming device registration updates are required or IT staff conducting security verification procedures.

Once victims complete the authentication flow and authorize the application, attackers retrieve the OAuth token using the original device code.

This token provides persistent access to the victim’s GitHub resources, enabling comprehensive reconnaissance and data exfiltration activities.

The technique’s effectiveness stems from its use of legitimate GitHub functionality, making it nearly impossible to distinguish malicious device code requests from genuine authentication attempts without additional context or behavioral analysis.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full acces



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.