GitHub OAuth token exploit

GitHub’s issue-notification system is being used as a phishing channel to trick developers into approving malicious OAuth apps with access to their repositories and workflows. (gbhackers.com) OAuth is the “sign in with” plumbing that lets one app ask another service for permission. On GitHub, approving a rogue OAuth app can mint a token that acts like a reusable key for code, settings, and automation. (gbhackers.com) The lure arrives as a real GitHub notification, not a fake login page. Attackers open a public issue, tag a target, and GitHub sends the message from its own noreply system, which helps it pass normal email trust checks. (gbhackers.com) The issue text typically claims there was an “unusual access attempt” or another urgent security problem. The embedded links then send the victim to a legitimate github.com authorization screen for an attacker-controlled OAuth app. (bleepingcomputer.com) (gbhackers.com) That matters because the attack does not need a stolen password and can sidestep multi-factor authentication by abusing consent. Once the victim clicks “Authorize,” GitHub issues an access token directly to the malicious app. (gbhackers.com) The permissions can be broad. BleepingComputer reported a March 16, 2025 campaign targeting nearly 12,000 repositories with a rogue app called “gitsecurityapp” that asked for full repository access, organization read access, gists, repository deletion, and GitHub Actions workflow control. (bleepingcomputer.com) With that level of access, an attacker can clone private code, push malicious commits, edit workflow files, trigger automation, and tamper with releases. Those are the same paths developers use to build and ship software, which is why security researchers treat this as a supply-chain threat. (gbhackers.com) (csoonline.com) The TrueConf case in the prompt is a different kind of compromise. Check Point said CVE-2026-3502 was a zero-day in the TrueConf client updater that let an attacker controlling an on-premises server push tampered updates to connected Windows clients. (research.checkpoint.com) (nvd.nist.gov) NIST’s National Vulnerability Database describes CVE-2026-3502 as “download of code without integrity check,” and CISA added it to the Known Exploited Vulnerabilities catalog on April 2, 2026, with a remediation due date of April 16, 2026, for federal agencies. (nvd.nist.gov) Check Point said the TrueConf flaw was exploited against government entities in Southeast Asia and that the vendor’s fix shipped in TrueConf Windows client version 8.5.3 in March 2026. The researchers tied the campaign, with moderate confidence, to a Chinese-nexus threat actor. (research.checkpoint.com) The overlap between the two stories is the mechanism of trust. In one case, attackers abuse GitHub’s trusted notification and authorization flow; in the other, they abuse a trusted software updater. Both turn routine admin actions into code-execution paths. (gbhackers.com) (research.checkpoint.com) For GitHub users, the immediate checks are whether any unfamiliar OAuth app was authorized, whether repository webhooks or workflow files changed, and whether automation secrets were exposed after approval. The attack starts with one click, but the damage can spread through every repository that token can reach. (bleepingcomputer.com) (gbhackers.com)