'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

Source: Piotr Swat via Alamy Stock Photo

Researchers have uncovered a tool aimed at targeting GitHub users, distributed on a cybercrime forum. It offers bulk developer credential theft and the ability to conduct further malicious activities, including supply chain attacks.

The tool — called GoIssue and potentially linked to a previous GitHub repository extortion campaign called Gitloker — allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes, researchers from SlashNext discovered.

“At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria — from organization memberships to stargazer lists,” SlashNext revealed in a blog post on Nov. 12.

GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features, and protects the operator’s identity through proxy networks, according to SlashNext.

________________________________

Don’t miss the upcoming free Dark Reading Virtual Event, “Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors,” Nov. 14 at 11 a.m. ET. Don’t miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

________________________________

Developers Have a Target on Their Backs

Developers increasingly have become a top target for threat actors because they provide the keys to valuable source code that can be used to launch supply chain attacks, reaching numerous victims by merely altering or abusing lines of code. As the leading online repository for source code, GitHub already has been in the crosshairs of numerous malicious campaigns targeting its users.

“The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds,” with attackers aiming to “exploit trusted developer environments,” observes Jason Soroko, senior fellow at Sectigo, an automated certificate life-cycle management firm.

GoIssue represents an evolution in GitHub-focused attack tools, giving attackers a way to orchestrate large-scale, customized phishing campaigns that can bypass spam filters and target specific developer communities, while attackers maintain the cover of anonymity.

Related:Citrix ‘Recording Manager’ Zero-Day Bug Allows Unauthenticated RCE

Through these campaigns, attackers can steal developer credentials and use that stolen information in phishing attacks that can steal login credentials, spread malicious payloads to compromise a user’s device, or distribute prompts for OAuth app authorization that give attackers access to private repositories and data.

In this way, threat actors can steal and/or poison source code from GitHub projects to launch supply chain and other attacks that can breach corporate networks, the researchers said. “This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community,” Soroko observes.

Cybercrime Link to Gitloker Extortion Campaign?

When investigating GoIssue, the contact info provided to potential buyers of the tool led SlashNext researchers to a Telegram profile for “cyberluffy,” which states that someone called “Cyber D’ Luffy” is a member of the Gitloker team. Gitloker is an ongoing campaign uncovered in June that uses GitHub notifications to push malicious OAuth apps aimed at wiping developer repositories for extortion purposes.

Moreover, in a thread advertising GoIssue, the seller even links to high-profile security blogs that detail and validate Gitloker attack efficacy. This seems to suggest that the same attackers selling GoIssue are behind Gitloker, and the tool “could be an extension of the Gitloker campaign or an evolved version of the same tool,” according to SlashNext.

Related:’SteelFox’ Malware Blitz Infects 11K Victims With Bundle of Pain

“Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks,” according to the post. “This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another.”

No matter who is distributing the tool, it represents a dire warning to developers using GitHub that they need to remain vigilant and not engage with any anomalous email correspondence or messages that seem suspicious, the researchers noted. “This isn’t just spam; it’s a potential entry point to taking over your account or projects,” according to SlashNext.

Enterprises with developers in the organization that use GitHub in particular should be especially proactive and adaptive at securing their people, notes Mika Aalto, co-founder and CEO at human risk-management firm Hoxhunt.

“As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters,” he says.

Enterprises also should integrate human threat intelligence into the security stack to facilitate accelerated detection and response to suspicious activity, Aalto adds.

About the Author

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.