A sophisticated phishing campaign has been targeting GitHub developers, tricking them into authorizing a malicious OAuth application that can lead to a full account takeover. The campaign, dubbed "Click-fix," has reportedly targeted over 12,000 GitHub repositories, according to cybersecurity researcher Luc4m.

The phishing campaign involves fake "Security Alerts" that prompt users to authorize a malicious OAuth application called "gitsecurityapp." The alert claims to detect an unusual access attempt on the user's GitHub account from a new location or device, urging them to take action to secure their account. However, the recommended actions, including updating passwords, reviewing active sessions, and enabling two-factor authentication, all lead to a GitHub authorization page for the malicious app.

The "gitsecurityapp" OAuth app requests a list of risky permissions, including access to and deletion of public and private repositories, read or write user profiles, read organization membership and projects, and access to GitHub gists. This level of access would allow attackers to gain full control over the affected accounts and codes.

Luc4m first reported the fake alerts on Sunday morning, stating that the campaign made almost 4,000 attempts in just a few minutes. Cybersecurity news website BleepingComputer later confirmed that close to 12,000 repositories were targeted until early Monday morning.

The phishing campaign has raised suspicions of possible nation-state connections, with Luc4m hinting at a potential link to North Korea. North Korea is known for using click-fix attacks for its cyber espionage activities, with Contagious Interviews being a prominent example.

All GitHub fake alerts included the same login information, including location: Reykjavik, Iceland, IP Address: 53.253.117.8, and Device: Unrecognized. Luc4m shared indicators of compromise (IoCs) to help protect users, including the GitHub account "hishamaboshami" and App ID "Ov23liQMsIZN6BD8RTZZ." The fake "security app" was deployed using render, a cloud for hosting web applications, at s://github-com-auth-secure-access-token.onrender.com.

This phishing campaign highlights the importance of vigilance and cybersecurity best practices, especially among developers and organizations that rely on GitHub for collaborative coding and version control. As the attack vector continues to evolve, it is crucial for users to remain cautious and verify the authenticity of security alerts before taking any action.

The incident also underscores the need for GitHub to improve its security measures and alert systems to prevent such campaigns from succeeding in the future. With the increasing reliance on cloud-based services and collaborative platforms, the stakes are higher than ever, and it is essential for both users and service providers to prioritize cybersecurity and protect against sophisticated threats.