An unknown user known as “Gitloker” has been causing havoc on GitHub by seizing and erasing repositories in a suspected attempt to extort victims. This nefarious campaign was brought to light by a researcher at Chilean cybersecurity firm CronUp on social platform X and has been ongoing since at least February 2024. Several GitHub users have fallen victim to this scheme, as indicated by posts on GitHub community forums, although the exact number of affected individuals remains unknown.
GitHub has not yet addressed inquiries from Dark Reading regarding their awareness of this threat or any guidance they may have for users to safeguard themselves. According to CronUp researcher German Fernandez, the perpetrators are exploiting a GitHub commenting and notification feature to carry out their malicious activities. By manipulating this feature, they are able to send phishing emails through the legitimate “notifications@github.com” and alter the sender’s name using their GitHub account. The attackers have been identified as utilizing two domains in their campaign: “githubcareers.online” and “githubtalentcommunity.online.”
Multiple incidents of extortion via GitHub have been reported, highlighting the seriousness of the situation. In one instance, a GitHub user named CodeLife234 reported an issue where a friend’s account was compromised after clicking on a link disguised as a spam email offering a GitHub developer job. The attacker proceeded to create and upload repos to the victim’s account and left an extortion note demanding payment of $1,000 to prevent data exposure. Other users have also received fake recruiting emails and security alerts through the GitHub notification system, urging them to take action on compromising links.
While all GitHub extortion scenarios are not identical, they share a common thread of threat and manipulation. Fernandez recently shared a screenshot of an extortion note left by Gitloker for a GitHub repository affiliated with a B2C company. In the note, the attacker claimed to have come across confidential information that could harm the company if made public, offering to withhold the data in exchange for $250,000. GitHub has stated that it investigates all reports of abusive or suspicious behavior on its platform and takes appropriate action. Users are advised to review active sessions, personal access tokens, change passwords, and reset two-factor authentication codes if they suspect their account has been compromised.
In conclusion, GitHub users must remain vigilant and take necessary precautions to protect their accounts from malicious actors like Gitloker. By staying informed and following the recommended security measures, users can minimize the risk of falling victim to extortion and data theft schemes on the platform. GitHub continues to investigate these incidents and encourages users to report any abusive or suspicious activities they encounter.