Hackers abuse fake CircleCI notifications to steal GitHub accounts

Hackers Abuse Fake CircleCI Notifications Creadential Stealing Git Hub

Researchers have observed threat actors abusing the CircleCI notification feature to initiate a phishing attack. In this issue, it was reported that the adversaries had impersonated the CircleCI integration and delivery platform to execute their malicious intents.

The malicious messages will inform the recipients that the terms and privacy policy of the spoofed company have changed, and they need to sign into their accounts to accept the alleged new conditions.

This lure will allow the threat actors to steal GitHub account credentials and 2FA codes by relaying them to the reverse proxies. Fortunately, GitHub accounts equipped with hardware security keys for MFA are safe from these attacks.

Researchers also explained that the campaign does not directly affect the GitHub platform, but organisations that use it are involved since their credentials will be jeopardised by the attack.


CircleCI admins have already released an advisory in its forums.


The admin of the affected company has already posted a threat advisory regarding the abuse of their fake CircleCI notification. According to one of its representatives, the company will never request its users to provide credentials for viewing alterations in its terms of service.

Cybersecurity analysts also revealed some phishing domains used by threat actors to disseminate phishing messages. Few of the sample domains are coded by the attackers as circle-cl[.]com, circle-ci[.]com, email-circleci[.]com, and emails-circleci[.]com.

The phishing operators will create personal access tokens after stealing valid account credentials from potential victims. Moreover, they can authorise OAuth apps and SSH keys to the stolen account to establish their persistence even if a user resets its password.

On the other hand, GitHub has already reported content exfiltration from private repositories after researchers discovered the new compromise. Further, the threat actors utilised proxy services or VPNs to make their attacks more elusive and complex to be traced by analysts.

The hackers could also create new user accounts and include them in the organisation if the stolen bill has organisation management permissions. This way, they can still execute their attacks and stay on their victim.

As of now, GitHub has already suspended the accounts, which shows signs of compromise or fraudulent activities. The platform has also stated that they have already reset all the compromised account passwords and will only receive special notifications regarding the phishing incident.

About the author

Leave a Reply