A newly uncovered phishing campaign is exploiting GitHub’s OAuth2 device authorization flow to compromise developer accounts and steal authentication tokens. This sophisticated attack leverages legitimate GitHub functionality, making it difficult to detect using conventional security controls. Unlike traditional phishing methods that rely on fake websites or suspicious links, attackers use GitHub’s native device authentication mechanism to deceive victims. This tactic mirrors previously seen techniques in Azure Active Directory phishing, but with a strategic focus on compromising the software development lifecycle through GitHub, which has become a critical hub for source code, CI/CD workflows, and proprietary secrets.

The attack begins with the threat actor initiating a device code request to GitHub’s OAuth API, often using legitimate client identifiers such as Visual Studio Code’s client ID to appear trustworthy. The API responds with a device code, a six-digit user code, a verification URL, and a limited time window for authentication. The attackers then social engineer developers, frequently through phone calls, to enter the code on GitHub’s verification page under the guise of IT support or security staff requesting routine device registration or authentication updates. Once the code is entered and approved, the attacker receives an OAuth token granting access to the victim’s GitHub account.

This OAuth token, once obtained, can be used to access source code, secrets stored in GitHub Actions, and sensitive repository content, and may even allow attackers to execute code on self-hosted runners or implant backdoors. Such capabilities pose a grave risk of widespread supply chain compromise, as demonstrated by past incidents like the “tj-actions” breach. With access to even a single developer account, attackers can infiltrate broader systems and potentially distribute malicious code to downstream consumers, amplifying the impact well beyond the initial breach.

The effectiveness of this campaign is underscored by Researchers, who report success rates exceeding 90% when the phishing is delivered via voice calls. This method exploits trust and urgency, particularly in environments where developers regularly interact with security or IT teams. The campaign highlights the pressing need for enhanced behavioral monitoring and additional verification layers around GitHub OAuth workflows. As software supply chains become increasingly centralized around platforms like GitHub, attacks exploiting trusted platform features represent a growing and urgent threat to organizations worldwide.