GitHub Repos Targeted in Cyber-Extortion Attacks

Since at least February, a threat actor has been attempting to extort victims by stealing or wiping data in their GitHub repositories.

An unknown user going by the handle Gitloker is grabbing and wiping clean repositories on GitHub in an apparent effort to extort victims.
The campaign, which a researcher at Chilean cybersecurity firm CronUp
highlighted in a message on social platform X
this week, appears to have been ongoing since at least February 2024. Posts on GitHub community forums suggest that several GitHub users have run into the issue over the past few months, although the actual number remains unknown.
GitHub did not respond immediately to Dark Reading about whether the company is aware of the threat or on what advice it might have for GitHub users.
According to CronUp researcher German Fernandez, the attackers appear to be exploiting a GitHub commenting and notification feature. With the above, they manage to deliver phishing emails through the legitimate notifications@github dot com, Fernandez wrote in his X post. In addition, the senders name can be manipulated by renaming the attackers GitHub account. He identified the attackers as using two domains in the campaign: githubcareers dot online and githubtalentcommunity dot online.
On Feb. 22, GitHub user CodeLife234
reported an issue involving a friends account
that had been hacked and was subsequently flagged. That compromise apparently occurred after the victim clicked on a link that turned out to be a spam email recruiting for a GitHub developer job.
The victim described the attacker as having created and pushed two repos to his account and leaving an extortion note as well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup, the message posted on Telegrams anonymous blogging platform Telegraph said. Currently, we are requesting a symbolic amount of $US1,000 to prevent the exposure of your files. It is crucial that everyone takes immediate action within the next 24 hours to avoid any data leaks.
The victim also described the attacker as deleting some repositories and said his accounts and projects were no longer publicly visible.
In comments responding to that post, another GitHub user with the handle Mindgames reported receiving an identical email purportedly for a GitHub developer job. The email, from notifications@github dot com, portrayed the job with a $180,000 salary and several attractive benefits. It urged the recipient to click on an embedded link to fill out additional information in the application process.
Yet another GitHub user reported receiving both a fake recruiting email and a
fake security alert
via the GitHub notification system in the last few months. A screenshot of the security alert showed the email as appearing to be signed by the GitHub Security Team and informing the recipient of their account apparently having been compromised.
It appears that unauthorized access has been gained to our servers, potentially compromising user data and the integrity of our platform, the email said. It sought the recipients immediate assistance in addressing the issue by clicking on a link that would purportedly authorize GitHubs security team to take necessary remedial action. Both the job and the security-related emails directed the user to https://githubcareer dot online/.
These emails prompt users to authenticate on GitHub, and if no action is taken after a brief interval, the page automatically redirects to an OAuth2 authentication page with [specific] query parameters, the user said.
Not all of the GitHub extortion incidents appear the same, however.
Fernandez earlier this week
posted a screenshot
on his X account of an April 11 extortion note that Gitloker had left for someone who appeared to be associated with the GitHub repository of a B2C company. The note - from an individual identifying themselves as a cyber incident analyst - informed the recipient that the Gitloker team had found confidential information within the repository that would be damaging to the company if publicly released.
We are willing to refrain from disclosing this information publicly in exchange for a payment of $250,000 USD, the attacker wrote. The note assured the victim about the continued confidentiality of the data if payment was received.
A GitHub spokesperson tells Dark Reading that the company investigates all reports of abusive or suspicious activity on its platform and takes action when merited. We also encourage customers and community members to report abuse and spam, according to the spokesperson.
GitHub has recommended several measures for users who believe their GitHub account has been compromised:
Review active GitHub sessions,
review
personal access tokens
, change GitHub password, and
reset two-factor recovery codes.

Review authorized OAuth apps
and do not click any links or reply to unsolicited messages from any source asking to
authorize an OAuth app
.
Authorizing an OAuth app
can expose a users GitHub account and data to a third party, according to GitHub.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
GitHub Repos Targeted in Cyber-Extortion Attacks