TZUTC: -0500   
   MSGID: 512.consprcy@1:2320/105 2c3ec060   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   These fake GitHub "security alerts" could actually let hackers hijack your   
   account   
      
   Date:   
   Tue, 18 Mar 2025 13:27:00 +0000   
      
   Description:   
   More than 12,000 GitHub users were targeted so far.   
      
   FULL STORY   
      
   Cybercriminals are faking security alerts on GitHub to get unsuspecting users   
   to install malicious applications and lose their work, experts have warned.    
      
   A security researcher alias LC4M discovered the campaign and shared a    
   detailed explanation in a short X thread, noting the attackers created a   
   GitHub account called GitHub Notification, and then opened an issue to a well   
   known security repo stating Security Alert: Unusual Access Attempt.    
      
   We have detected a login attempt on your GitHub account that appears to be   
   from a new location or device, the fake alert reads. If you recognize this   
   activity, no further action is required. However, if this was not you, we   
   strongly recommend securing your account immediately.   
      
   OAuth app    
      
   The alert states the login attempt came from Reykjavik, Iceland, and shares   
   links where users can update their password, review and manage active   
   sessions, and even enable two-factor authentication (2FA).    
      
   However, all of the links lead to a GitHub authorization page for an OAuth    
   app called gitsecurityapp. This app requests numerous permissions, including   
   those that grant full access to public and private repositories, the ability   
   to read and write to the user profile, access to GitHub gists, the permission   
   to delete repositories, and more.    
      
   The researcher updated his thread to say that at least 8,000 GitHub   
   repositories were targeted. However, a BleepingComputer report puts the    
   number of targets at 12,000.    
      
   If you were targeted by this campaign, and ended up granting the permissions,   
   you should revoke the access as soon as possible, and after that - rotate    
   your credentials and authentication tokens just to be on the safe side.    
      
   LC4M could not confidently attribute the campaign to any known threat actor,   
   but they do have their suspicions: Smells DPKR? they said, suggesting that   
   this might be the work of North Korean state-sponsored threat actors.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/these-fake-github-security-alerts-could   
   -actually-let-hackers-hijack-your-account   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426