A new phishing campaign is abusing GitHub’s “Issues” feature to distribute the Lumma Stealer password-stealing malware, targeting unsuspecting open-source project users.
In this campaign, malicious actors open a fake “issue” on popular GitHub repositories, falsely claiming the presence of a “security vulnerability” in the project. They then direct users to a counterfeit domain, “github-scanner[.]com,” which masquerades as a GitHub-affiliated site. However, this domain is designed to trick visitors into downloading Windows malware.
What makes this campaign particularly effective is the use of legitimate GitHub email notifications. When the threat actors file a new issue, subscribers to the affected repositories receive “IMPORTANT!” email alerts from the official GitHub servers, making the campaign seem more authentic. These emails, sent from notifications@github.com, falsely claim to be from the “GitHub Security Team.”
Once users visit the fraudulent domain, they are met with a fake CAPTCHA that, upon interaction, executes JavaScript code that copies malicious content to the user’s clipboard. The site then instructs the user to execute the copied code via the Windows Run command, which downloads and executes a file named “l6E.exe,” identified as the Lumma Stealer malware.
The Lumma Stealer is capable of stealing web browser credentials, authentication cookies, browsing history, cryptocurrency wallets, and other sensitive files from the infected device.
GitHub’s “Issues” Feature Being Abused
The campaign exploits GitHub’s “Issues” feature, where threat actors create pseudonymous GitHub accounts to flood repositories with these bogus security alerts. As a result, legitimate contributors receive phishing alerts directly from GitHub’s notification system.
GitHub users are advised to be vigilant, avoid clicking on suspicious links, and report such issues to GitHub. This incident highlights how popular platforms like GitHub can be exploited by cybercriminals to conduct supply chain attacks and spread malware.
Recently, similar campaigns have been seen, where threat actors replied to GitHub Issues with fake fixes that also distributed the Lumma Stealer malware. This alarming trend underscores the growing threat of attackers targeting developers to gain access to source code and inject malicious payloads.