This morning I was awaken to a strange notification on my phone, I got tagged in a comment on GitHub. Since I have the GitHub app on my phone, I get push notifications of such things...
When I opened it up - reminder this was shortly after getting out of bed, before I even had my first coffee and it was on a mobile client, so I didn't have much context, just wanted to check my notifications - I got the weirdest comment I've ever seen on GitHub.
Hi wanna see my nude photo [shortened link]
bunch of other tagged users
More photo goo [shortened link]
Now even in such an early hour this tripped off my defenses as an obvious phishing attempt. So I decided that instead of watching some "nude photos", I'll click the "Report Abuse" option and direct the attention of GitHub's security team towards this comment.
GitHub responded quickly:
Our review of the account(s) and/or content named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response.
The strangest thing is that I'm not even a follower of this repo where the discussion was started, which by the way is a R toolkit for single cell genomics.
The phishing (or malware spreading or whatever shady business) is pretty obvious here, but I could imagine that this could be tunned up to be a bit more personalized for targeted individuals.
Has anyone encountered this or similar malicious use of GitHub's community features? Maybe does someone know what's the background of the scam?
Top comments (2)
Same thing last night. Probably part of same attack. I was tagged in a different but similar comment to the one you posted about. It was in a repo I have nothing to do with. I was on my phone at time so got the mobile app notification instantly. I blocked user and then reported. The response from GitHub was same as yours just not as quick as yours, got it by the morning.
Same message came to me today.