A new report released today by phishing protection company SlashNext Inc. warns of a sophisticated new phishing tool called GoIssue that targets GitHub users.

GoIssue was recently uncovered by SlashNext researchers on cybercrime forums, where it’s marketed to attackers looking to target GitHub users. The tool is advertised as a solution for sending bulk email campaigns directly to developers, allowing attackers to extract email addresses from GitHub profiles quickly using automated processes.

The tool works by leveraging GitHub tokens to scrape email addresses based on specific criteria such as organization affiliations. Once gathered, the email addresses are used in large-scale phishing campaigns that are carefully crafted to evade spam filters and reach developers’ inboxes directly.

GoIssue’s features extend beyond simple phishing in that they also allow attackers to customize their campaigns to target specific developer communities, increasing the likelihood of successful credential theft.

To use GoIssue, attackers start by scraping email addresses from public GitHub profiles, then proceed with mass phishing campaigns disguised as legitimate GitHub notifications. The carefully crafted emails bypass spam filters and direct developers to phishing pages that steal credentials, download malware, or prompt rogue OAuth app authorizations to gain access to private repositories.

The tool’s capability to send targeted phishing emails at scale makes it highly effective, allowing attackers to impact thousands of developers in a single campaign. The ability to send at scale greatly increases the risk of data breaches, theft of sensitive code and compromised projects, ultimately endangering entire development ecosystems.

The tool is sold for $700 for a customized version or $3,000 for full source code access, making it accessible to a wide range of cyber criminals.

Discussing the report, Jason Soroko, senior fellow at certificate management solutions and SSL certificates provider Sectigo Ltd., told SiliconANGLE via email that “the emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds and security defenses must evolve rapidly to counteract this pervasive threat.”

“By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments,” Soroko explains. “As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks.”

“The bad guys know what they are doing,” Soroka added. “This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community.”

Image: SiliconANGLE/Ideogram