New Tool Automates GitHub Device Code Phishing Attacks

Security researchers revealed the dangers of GitHub Device Code Phishing—a technique that leverages the OAuth 2.0 Device Authorization Grant flow.

This method can turn a simple eight-digit code and a phone call into a full compromise of an organization’s GitHub repositories and software supply chain.

Despite its simplicity, executing these attacks at scale has traditionally been complex, requiring attackers to juggle convincing social engineering tactics and the strict 15-minute expiration window for each device code.

Introducing GitPhish

To address these operational challenges, the team behind the research has released GitPhish, a tool designed to streamline and automate GitHub Device Code Phishing.

By open-sourcing the project, they aim to empower security professionals and red teams to simulate realistic attack scenarios and test organizational defenses more effectively.

Key Features

1. Professional Landing Pages on GitHub Pages – GitPhish automates the deployment of convincing landing pages directly on GitHub Pages. These pages are crafted to build instant credibility with targets and guide them seamlessly through the Device Code login flow.

2. Dynamic Device Code Generation – Unlike traditional approaches, GitPhish generates device codes in real time—only when a target interacts with the phishing page. This innovation starts the 15-minute countdown at the moment of engagement, not when the lure is sent, allowing operators to target multiple users simultaneously without worrying about code expiration.

3. Flexible Operation Modes – GitPhish can be run via a command-line interface or a user-friendly web dashboard. It offers robust logging, analytics, and token management, making it suitable for both technical and less technical users.

GitPhish is purpose-built for security teams, red teamers, and detection engineers. It enables:

• Red teams to simulate advanced phishing attacks in controlled environments, testing organizational resilience.
• Detection engineers to validate and improve their ability to spot suspicious OAuth flows, unusual GitHub authentication patterns, and social engineering attempts.

The tool is available now as an open-source project on GitHub. Setup is straightforward: users need Python and a GitHub personal access token.

Installation takes minutes, and comprehensive documentation with real-world scenarios is included to help teams get started quickly.

To explore GitPhish or contribute to its development, visit the official repository on GitHub. For a more hands-on introduction, a webinar and live demonstration are also available.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.