GitHub notifications exploited to impersonate Y Combinator for crypto theft
Summary
Hide ▲
Show ▼
A phishing campaign targeted GitHub users with fake Y Combinator (YC) W2026 program invitations to steal cryptocurrency. The attackers abused GitHub’s notification system by creating issues in multiple repositories and tagging targeted users. The phishing emails, sent from a legitimate GitHub source, directed users to a fraudulent site that drained their crypto wallets. The campaign exploited the trust in GitHub notifications and Y Combinator's reputation to lure developers into connecting their cryptocurrency wallets to a malicious site. The fraudulent site used obfuscated JavaScript to authorize unauthorized transactions, resulting in the theft of crypto assets. The phishing campaign was reported to GitHub, IC3, and Google Safe Browsing, leading to the removal of the fraudulent repositories. Developers who connected their wallets to the malicious site are advised to move their assets to new wallets immediately.
Timeline
-
24.09.2025 15:37 📰 1 articles · ⏱ 2h ago
GitHub notifications exploited to impersonate Y Combinator for crypto theft
A phishing campaign targeted GitHub users with fake Y Combinator (YC) W2026 program invitations. The attackers abused GitHub’s notification system by creating issues in multiple repositories and tagging targeted users. The phishing emails directed users to a fraudulent site that drained their crypto wallets using obfuscated JavaScript. The campaign was reported and the fraudulent repositories were removed. Developers who connected their wallets to the malicious site are advised to move their assets to new wallets immediately.
Show sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
Information Snippets
-
The phishing campaign targeted GitHub users with fake invitations to the Y Combinator (YC) W2026 program.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
-
Attackers exploited GitHub’s notification system by creating issues in multiple repositories and tagging targeted users.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
-
The phishing emails were sent from a legitimate GitHub source, increasing their credibility.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
-
The fraudulent site used obfuscated JavaScript to prompt users to verify their wallets, authorizing malicious transactions.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
-
The campaign was reported to GitHub, IC3, and Google Safe Browsing, resulting in the removal of the fraudulent repositories.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
-
Developers who connected their wallets to the malicious site are advised to move their assets to new wallets.
First reported: 24.09.2025 15:37📰 1 source, 1 articleShow sources
- GitHub notifications abused to impersonate Y Combinator for crypto theft — www.bleepingcomputer.com — 24.09.2025 15:37
Similar Happenings
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present. Additionally, a new wave of phishing attacks targets PyPI users, aiming to steal credentials to compromise Python packages with malware or publish new malicious packages.