Goissue Tool Harvests GitHub Emails and Launches Phishing Attacks on Developers

Security experts at SlashNext have discovered that operators behind the Gitloker malicious campaign have developed a new phishing tool called Goissue, specifically targeting developers on GitHub. With Goissue, attackers can extract email addresses from publicly available GitHub profiles and then launch phishing attacks against those addresses.

According to researchers, the phishing tool is being rented out and sold by a hacker known as cyberdluffy (also known as Cyber D’ Luffy), who claims to be part of the Gitloker team.

Gitloker activity was first observed in the summer of 2024. During this campaign, attackers targeted GitHub repositories, wiped their contents, and then asked victims to contact them via Telegram for “more information.”

Cyberdluffy describes Goissue as “a solution for efficiently extracting user data and emails from GitHub.” In reality, it is an automated phishing tool that continues the operations of Gitloker.

“Ultimately, once you’ve carried out an attack and it works, it becomes routine,” say SlashNext analysts. “Now you have a set of tools and don’t need to do the work yourself: you can simply sell access to these tools.”

A custom build of Goissue costs $700. Buyers can also get full access to the tool’s source code for $3,000.

Goissue enables attackers to extract developers’ email addresses from GitHub, posing a threat not only to individuals but also to entire organizations. “This is a direct path to source code theft, supply chain attacks, and breaches of corporate networks through compromised developer credentials,” experts warn.

Goissue Features

• Customizable email templates
• Proxy server support
• Email address extraction
• Token management
• Various scraping modes

Future releases promise additional features to make the tool even more robust and versatile.

How Goissue Attacks Work

An attack using Goissue typically starts with collecting email addresses from public GitHub profiles, followed by a phishing campaign using emails that appear to be GitHub notifications. In these messages, criminals may impersonate GitHub security staff or recruiters.

Such emails contain links to phishing pages designed to steal credentials, deliver malware, or request OAuth authorization to access private repositories and data. Essentially, Goissue automates and scales the entire attack process.

“Attackers can launch customized, large-scale email campaigns designed to bypass spam filters and target specific developer communities,” researchers warn.

SlashNext concludes that the emergence of Goissue is a serious warning sign. According to experts, this is not just about spam, but about the ability to send targeted emails en masse, potentially leading to account or even entire project takeovers.