GitHub notification emails used to send malware

Original Article ↗ Hacker News Discussion ↗

Nature of the attack

  • Attack uses GitHub issues/comments plus notification emails as a trusted delivery channel.
  • Pattern: brand-new accounts open issues mentioning “security” or “vulnerabilities,” include a link, then the issue disappears soon after (deleted by attacker or GitHub).
  • Landing page pretends to be a GitHub-related scanner and shows a “CAPTCHA” that asks users to paste a command into a shell / Windows Run dialog, often with admin privileges.
  • Some note this is not GitHub “sending malware” but rather user-generated content within issues that GitHub relays via email.

How plausible is the scam?

  • Many point to obvious red flags: odd domain, strange “CAPTCHA,” admin warning dialogs, mis-capitalized “Github.”
  • Others stress it’s a numbers game: tired, rushed, or less-technical users (including many GitHub users) can and do fall for such tricks.
  • Several commenters share anecdotes of smart/technical people getting phished or scammed; “victim-blaming” is criticized.
  • Some say that if this had hit them in their first year on GitHub, they might have complied.

GitHub’s role and possible mitigations

  • Calls for: better spam detection on new accounts, delaying or suppressing emails for unverified content, stripping links from notification emails, or sending generic “you have a new issue” messages only.
  • Others warn stricter anti-spam will burden legitimate newcomers and that case-by-case moderation might be acceptable until abuse worsens.
  • Some report fast GitHub responses to abuse reports; others report slow or inconsistent handling.

Developer habits and “curl | sh” culture

  • Much debate about how normalized it is to copy-paste shell commands from websites, including official docs.
  • Some argue devs are high-risk targets because they’re accustomed to installation commands and curl | sh patterns.
  • Others differentiate between piping from well-known domains vs random ones, and prefer package managers with signatures.

Broader security themes

  • Discussion of email links in general: many advocate “don’t click unexpected links,” but note this conflicts with common workflows (account verification, SaaS UX).
  • Debate over OS design: Windows’ ease of full-privilege execution is seen as either a dangerous flaw or a “freedom” virtue; Linux/UNIX security is criticized as often undermined by sudo habits.
  • Cloudflare’s role is discussed: easy hosting for phishing/malware but also more responsive than many registrars; abuse reporting is seen as clunky.