GoIssue Cybercrime Tool Targets GitHub Developers En Masse
Marketed on a cybercriminal forum, the $700 tool harvests email addresses from public GitHub profiles, priming cyberattackers for further credential theft, malware delivery, OAuth subversion, supply chain attacks, and other corporate breaches.
Researchers have uncovered a tool aimed at targeting GitHub users, distributed on a cybercrime forum. It offers bulk developer credential theft and the ability to conduct further malicious activities, including
supply chain attacks
.
The tool — called GoIssue and potentially linked to a previous
GitHub
repository extortion campaign
called Gitloker
— allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes, researchers from SlashNext discovered.
At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and
GitHub tokens
to collect data based on various criteria — from organization memberships to
stargazer lists
, SlashNext
revealed
in a blog post on Nov. 12.
GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features, and protects the operators identity through proxy networks, according to SlashNext.
__
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 a.m. ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!
__
Developers increasingly have become a
top target for threat actors
because they provide the keys to valuable source code that can be used to launch supply chain attacks, reaching numerous victims by merely altering or abusing lines of code. As the leading online repository for source code, GitHub already has been in the crosshairs of
numerous malicious campaigns
targeting its users.
The emergence of GoIssue signals a new era where developer platforms become
high-stakes battlegrounds
, with attackers aiming to exploit trusted developer environments, observes Jason Soroko, senior fellow at Sectigo, an automated certificate life-cycle management firm.
GoIssue represents an evolution in GitHub-focused attack tools, giving attackers a way to orchestrate large-scale, customized phishing campaigns that can bypass spam filters and target specific developer communities, while attackers maintain the cover of anonymity.
Through these campaigns, attackers can steal developer credentials and use that stolen information in phishing attacks that can steal login credentials, spread malicious payloads to compromise a users device, or distribute prompts for
OAuth app authorization
that give attackers access to private repositories and data.
In this way, threat actors can steal and/or poison source code from GitHub projects to launch supply chain and other attacks that can breach corporate networks, the researchers said. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community, Soroko observes.
When investigating GoIssue, the contact info provided to potential buyers of the tool led SlashNext researchers to a Telegram profile for cyberluffy, which states that someone called Cyber D Luffy is a member of the Gitloker team. Gitloker is an ongoing campaign uncovered in June that uses GitHub notifications to push malicious
OAuth apps
aimed at wiping developer repositories for extortion purposes.
Moreover, in a thread advertising GoIssue, the seller even links to high-profile security blogs that detail and validate Gitloker attack efficacy. This seems to suggest that the same attackers selling GoIssue are behind Gitloker, and the tool could be an extension of the Gitloker campaign or an evolved version of the same tool, according to SlashNext.
Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks, according to the post. This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another.
No matter who is distributing the tool, it represents a dire warning to developers using GitHub that they need to remain vigilant and not engage with any anomalous email correspondence or messages that seem suspicious, the researchers noted. This isn’t just spam; it’s a potential entry point to taking over your account or projects, according to SlashNext.
Enterprises with developers in the organization that use GitHub in particular should be especially proactive and adaptive at securing their people, notes Mika Aalto, co-founder and CEO at human risk-management firm Hoxhunt.
As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters, he says.
Enterprises also should integrate human threat intelligence into the security stack to facilitate accelerated detection and response to suspicious activity, Aalto adds.
Tags:
GoIssue Cybercrime Tool Targets GitHub Developers En Masse