A new phishing tool called GoIssue has emerged, targeting GitHub developers through large-scale email campaigns. Developed by the threat actor known as cyberdluffy, GoIssue is designed to extract email addresses from public GitHub profiles, allowing attackers to send bulk phishing emails directly to developers’ inboxes. The tool, first advertised on the Runion forum, can bypass spam filters and is marketed as a way for cybercriminals to efficiently reach specific developer communities. With a custom build priced at $150 and full source code access available for $1,000, GoIssue provides an accessible method for launching sophisticated phishing attacks.
The tool’s main function is to send mass emails that appear to come from legitimate sources, tricking developers into clicking on malicious links. These links lead to fraudulent login pages or requests to authorize rogue OAuth applications. Once authorized, these malicious apps can gain unauthorized access to a developer’s private repositories, steal sensitive code, or introduce malware into the project. SlashNext, a cybersecurity firm, warns that GoIssue could serve as a gateway for larger attacks, including supply chain compromises and corporate network breaches, as developers’ credentials and project data are hijacked.
GoIssue’s operation relies on compromising GitHub accounts, often using already compromised profiles to tag developers in spam comments on open issues or pull requests. This technique creates the illusion of a legitimate communication, which triggers the phishing emails. Once the victim clicks on the link, they are directed to a bogus OAuth app that requests permissions to access their private data. If the developer unknowingly grants the app permission, the attackers gain full control over the repositories, allowing them to replace the code with ransom notes or delete critical files.
The emergence of GoIssue is part of a broader trend in which phishing attacks are becoming increasingly targeted and sophisticated. Similar to other advanced phishing techniques, such as those involving Microsoft Visio files and SharePoint, GoIssue uses trusted platforms to enhance its chances of success. As phishing tactics evolve, developers must be vigilant and adopt robust security practices, including two-factor authentication and careful scrutiny of login requests, to defend against these increasingly sophisticated threats.
