Research from SlashNext has unveiled a tool responsible for many recent GitHub phishing attacks. This sophisticated tool, known as GoIssue, specializes in phishing and repository hacking. It is used to send emails in bulk to GitHub users. 

Jason Soroko, Senior Fellow at Sectigo, comments, “The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds, and security defenses must evolve rapidly to counteract this pervasive threat. By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments. As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks. The bad guys know what they are doing. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community.”

Researchers believe GoIssue may be linked to the GitLoker extortion campaign. Furthermore, the research asserts GoIssue is more than just a phishing threat, as it could also lead to supply chain attacks, source code theft, and enterprise network breaches. 

Mr. Mika Aalto, Co-Founder and CEO at Hoxhunt, states, “Any time the tools and relationships that we trust most are turned against us so easily and at such scale, it reminds us of the need for a proactive and adaptive approach to securing our people. As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters. Equally important, we need to integrate human threat intelligence into the center of the security stack. A good Human Risk Management platform equips SOC teams with the tools to leverage human intelligence for accelerated detection and response. If you see something, say something, and make sure you have a behavior change platform that is designed to help you do something as quickly as possible.”