CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

GitHub notifications exploited to impersonate Y Combinator for crypto theft

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign targeted GitHub users with fake Y Combinator (YC) W2026 program invitations to steal cryptocurrency. The attackers abused GitHub’s notification system by creating issues in multiple repositories and tagging targeted users. The phishing emails, sent from a legitimate GitHub source, directed users to a fraudulent site that drained their crypto wallets. The campaign exploited the trust in GitHub notifications and Y Combinator's reputation to lure developers into connecting their cryptocurrency wallets to a malicious site. The fraudulent site used obfuscated JavaScript to authorize unauthorized transactions, resulting in the theft of crypto assets. The phishing campaign was reported to GitHub, IC3, and Google Safe Browsing, leading to the removal of the fraudulent repositories. Developers who connected their wallets to the malicious site are advised to move their assets to new wallets immediately.

Timeline

  1. 24.09.2025 15:37 📰 1 articles · ⏱ 2h ago

    GitHub notifications exploited to impersonate Y Combinator for crypto theft

    A phishing campaign targeted GitHub users with fake Y Combinator (YC) W2026 program invitations. The attackers abused GitHub’s notification system by creating issues in multiple repositories and tagging targeted users. The phishing emails directed users to a fraudulent site that drained their crypto wallets using obfuscated JavaScript. The campaign was reported and the fraudulent repositories were removed. Developers who connected their wallets to the malicious site are advised to move their assets to new wallets immediately.

    Show sources

Information Snippets

Similar Happenings

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present. Additionally, a new wave of phishing attacks targets PyPI users, aiming to steal credentials to compromise Python packages with malware or publish new malicious packages.