Security researchers are tracking two separate GitHub-related threat campaigns that use the platform's infrastructure in different ways -- one to deliver vishing lures through legitimate GitHub notifications, and another to push Windows users toward malware-infected downloads hosted through deceptive GitHub Pages and repositories.

The primary campaign, disclosed Monday by Fortra's Fortra Intelligence and Research Experts team, centers on abuse of GitHub's email notification system. According to the report, attackers placed phony billing and support messages inside commit comments tied to otherwise empty repositories and profiles, causing GitHub to generate legitimate notification e mails that appeared to come from noreply@github.com. Those messages impersonated brands such as PayPal, Norton, Geek Squad and McAfee and urged recipients to call fake support numbers.

“While abuse of GitHub's legitimate email notification system has been observed before, this is the first time Fortra has seen it used for vishing attacks by including the malicious content in the commit messages of otherwise empty GitHub profiles and repositories,” the company wrote. It added that “vishing content represented around 20% of malicious emails submitted to us for analysis in 2025...”

Keep Reading

#Vishing, Social Engineering, Tech Support Scam, Malware

Next Article Back to All News

A wooden figurine of the GitHub Octocat with a computer screen in the background.

↑

GitHub Abuse Emerges in Twin Social Engineering Campaigns Spotted by Fortra, Trend Micro

Tags