CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

GitLoker Strikes Again: New “Goissue” Tool Targets GitHub Developers and Corporate Supply Chains

GoIssue is a new tool for cybercriminals that allows attackers to extract email addresses from GitHub profiles and send bulk emails to users.

GitHub security

An actor claiming membership in the Gitloker hacking group is offering a new GitHub phishing tool for sale or rent. 

The actor, Cyber Luffy, claims to be “a member of Gitloker Team”. He describes the tool, Goissue, as “the premier solution for efficiently extracting GitHub users and their emails.”

The Gitloker team has been hijacking GitHub repositories, wiping them, and extorting developers to assist in their recovery since early 2024. Reporting on this new discovery of Goissue, SlashNext believes that the sale and use of an automated phishing tool is a logical extension of Gitloker’s operations. “Eventually, once you’ve performed the attack and it works and you’ve operationalized it,” SlashNext Field CTO Stephen Kowski told SecurityWeek, “now you have a set of tools, and now, well, you don’t have to do the work yourself — you can just sell access to the tools.”

Goissue allows attackers to extract email addresses from GitHub repositories and to extend the threat beyond the individual developers to their entire organizations. “It’s a gateway to source code theft, supply chain attacks, and corporate network breaches through compromised developer credentials,” warns SlashNext.

Goissue’s features include customizable email templates, proxy support, email address extraction, and token management. Scraping modes including followers, stargazers, organizations and queries. “Additional features will be added in future updates, making the tool even more robust and versatile,” claims Cyber Luffy in a ‘watch this space’ message on the Goissue forum.

An attack could start with harvesting email addresses from public GitHub profiles, followed by phishing campaigns using fake GitHub notification emails. The result would likely be malicious spam-filter-evading links to a phishing page that is designed to steal developer credentials, deliver malware, or a rogue OAuth app authorization prompt granting access to private repositories and data. Goissue effectively automates the process allowing attacks to be scaled, increasing the risk of successful breaches.

“Any time the tools and relationships that we trust most are turned against us so easily and at such scale, it reminds us of the need for a proactive and adaptive approach to securing our people,” warns Mika Aalto, co-founder and CEO at Hoxhunt. “As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters.”

Jason Soroko, Senior Fellow at Sectigo, calls it a new era where developer platforms become high-stakes battlegrounds. “By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments.  As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks. The bad guys know what they are doing. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community,” he told SecurityWeek.

Advertisement. Scroll to continue reading.

SlashNext calls it a red flag. “This isn’t just spam; it’s a potential entry point to taking over your account or projects. With GoIssue potentially linked to GitLoker, the threat is bigger than ever,” reports the researcher, reformed blackhat Daniel Kelley.

Related: GitHub Patches Critical Vulnerability in Enterprise Server

Related: Critical Authentication Flaw Haunts GitHub Enterprise Server

Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.