An actor claiming membership in the Gitloker hacking group is offering a new GitHub phishing tool for sale or rent.
The actor, Cyber Luffy, claims to be “a member of Gitloker Team”. He describes the tool, Goissue, as “the premier solution for efficiently extracting GitHub users and their emails.”
The Gitloker team has been hijacking GitHub repositories, wiping them, and extorting developers to assist in their recovery since early 2024. Reporting on this new discovery of Goissue, SlashNext believes that the sale and use of an automated phishing tool is a logical extension of Gitloker’s operations. “Eventually, once you’ve performed the attack and it works and you’ve operationalized it,” SlashNext Field CTO Stephen Kowski told SecurityWeek, “now you have a set of tools, and now, well, you don’t have to do the work yourself — you can just sell access to the tools.”
Goissue allows attackers to extract email addresses from GitHub repositories and to extend the threat beyond the individual developers to their entire organizations. “It’s a gateway to source code theft, supply chain attacks, and corporate network breaches through compromised developer credentials,” warns SlashNext.
Goissue’s features include customizable email templates, proxy support, email address extraction, and token management. Scraping modes including followers, stargazers, organizations and queries. “Additional features will be added in future updates, making the tool even more robust and versatile,” claims Cyber Luffy in a ‘watch this space’ message on the Goissue forum.
An attack could start with harvesting email addresses from public GitHub profiles, followed by phishing campaigns using fake GitHub notification emails. The result would likely be malicious spam-filter-evading links to a phishing page that is designed to steal developer credentials, deliver malware, or a rogue OAuth app authorization prompt granting access to private repositories and data. Goissue effectively automates the process allowing attacks to be scaled, increasing the risk of successful breaches.
“Any time the tools and relationships that we trust most are turned against us so easily and at such scale, it reminds us of the need for a proactive and adaptive approach to securing our people,” warns Mika Aalto, co-founder and CEO at Hoxhunt. “As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters.”
Jason Soroko, Senior Fellow at Sectigo, calls it a new era where developer platforms become high-stakes battlegrounds. “By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments. As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks. The bad guys know what they are doing. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community,” he told SecurityWeek.
Advertisement. Scroll to continue reading.
SlashNext calls it a red flag. “This isn’t just spam; it’s a potential entry point to taking over your account or projects. With GoIssue potentially linked to GitLoker, the threat is bigger than ever,” reports the researcher, reformed blackhat Daniel Kelley.
Related: GitHub Patches Critical Vulnerability in Enterprise Server
Related: Critical Authentication Flaw Haunts GitHub Enterprise Server
Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories