"In early 2025, GitHub lit up with confusion and more than a little panic. Thousands of developers found suspicious issues posted in their public repositories, flagged with a GitHub-style "Security Alert: Unusual Access Attempt" warning. The problem? It wasn't GitHub. It was an attacker masquerading as GitHub support, luring developers into authorizing a malicious OAuth app (gitsecurityapp) under the guise of incident response. No zero-day. No credential theft. Just OAuth abuse, at scale."
"Once users clicked "Authorize," the malicious app inherited repo-level permissions, including access to: Source code (obviously) GitHub Actions secrets and automation tokens Linked infrastructure provisioning (Terraform, Pulumi, etc.) Hard-coded API keys and credentials Read/write org-level metadata in some cases From there, attackers could pivot laterally across repos, leak code, plant backdoors, and poison builds. This wasn't just a repo hygiene issue. It was a"
In early 2025 thousands of developers received malicious GitHub-style security alerts that lured them to authorize a fake OAuth application. The application inherited repo-level permissions including source code, GitHub Actions secrets and automation tokens, infrastructure provisioning links (Terraform, Pulumi), hard-coded API keys, and in some cases read/write organization metadata. OAuth apps frequently lack centralized policy, logging, and governance found in SAML or OIDC flows, allowing such authorizations to fly under the radar. Attackers leveraged these permissions to exfiltrate code, plant backdoors, poison builds, and move laterally. Mitigations include improving visibility, enforcing least-privilege, restricting third-party apps, and automating revocation and monitoring.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]