Cybersecurity experts are sounding alarms over a newly emerged tool called GoIssue, designed to facilitate mass phishing campaigns targeting GitHub users.

Marketed by the threat actor known as cyberdluffy on the Runion forum in August, GoIssue enables malicious actors to extract email addresses from public GitHub profiles and send phishing emails directly to their inboxes. The tool's creator promoted it as an effective solution for reaching targeted audiences, stating its capability to deliver bulk emails directly to developers' inboxes.

According to SlashNext, GoIssue signifies a significant evolution in phishing techniques that could lead to source code theft, supply chain disruptions, and potential corporate network breaches through compromised developer credentials. The tool is sold at $700 for a custom build or $3,000 for full source code access, with a temporary discount lowering prices to $150 and $1,000, respectively, for early buyers. Once equipped with GoIssue, attackers could craft large-scale phishing campaigns that bypass spam filters and tailor messages to specific developer communities, heightening the risk of credential compromise.

A related concern is cyberdluffy’s association with Gitloker, known for conducting extortion campaigns against GitHub users. The GoIssue approach involves tagging developer accounts in spam comments on open issues, prompting emails that lure them to phishing sites. These pages often trick users into granting permissions to rogue OAuth apps, leading to unauthorized access to private repositories and data breaches. The alarming trend underscores the increasing complexity of phishing attacks, with additional reports from Perception Point highlighting two-step phishing tactics that use trusted platforms like Microsoft SharePoint and Visio to harvest credentials through fake login pages.