GitHub Extortion Campaign: “Gitloker” Wiping Clean Repositories

An unknown user operating under the alias “Gitloker” has been wreaking havoc on GitHub by seizing and erasing repositories in an effort to extort victims. The campaign, brought to light by a researcher at Chilean cybersecurity firm CronUp, has been ongoing since at least February 2024. Reports from GitHub community forums suggest that multiple users have fallen victim to this scheme, although the full extent of the attacks remains unknown.

According to CronUp researcher German Fernandez, the attackers are exploiting a GitHub commenting and notification feature to carry out their phishing emails. By utilizing the legitimate “notifications@github.com” email address and manipulating sender names, the attackers have been successful in luring victims into their trap. The campaign operates through two domains: “githubcareers.online” and “githubtalentcommunity.online.”

One victim described how the attacker uploaded repos to their account and left behind an extortion note demanding $1,000 to prevent data exposure. Other users reported receiving fake recruiting emails and security alerts, all leading to the same malicious domains. GitHub has advised users to review their active sessions, personal access tokens, change passwords, and reset two-factor recovery codes if they suspect their account has been compromised.

The implications of Gitloker’s actions are dire, as some victims have been threatened with the release of confidential data unless a hefty ransom is paid. GitHub has assured users that they are investigating all reports of abusive activity and encourages the community to report any suspicious behavior. As the cybersecurity battle on GitHub intensifies, vigilance and proactive measures are crucial to safeguarding sensitive information.