Both CircleCI and GitHub have confirmed that cybercriminals are posing as the service in an attempt to gain unauthorised access to user accounts.
The two companies claim that hackers are currently spreading a phishing email that pretends to come from the CircleCI continuous integration and delivery platform.
A word of caution from GitHub
A link to “accept” the modifications is provided, as one might expect, at the email’s footer. Those who do so expose themselves to the risk of having their GitHub account credentials and two-factor authentication codes stolen, as the attackers will likely transmit this information via reverse proxies. Users who have hardware security keys are safe.
While GitHub was not a target of the attack, “many victim organisations” were, the company warned.
Threats from a wide variety of directions
CircleCI has also issued a warning on its forums about the ongoing attack and emphasised that it would never require users to log in with credentials in order to see ToS updates.
In a statement, CircleCI emphasised that its emails should only contain links to circleci.com or its sub-domains.
A number of domains have been identified as sources of the phishing emails:
If the attackers are successful in gaining access to a GitHub developer account (opens in new tab), they will proceed to create personal access tokens (PATs), authorise OAuth apps, and even add SSH keys to the account to ensure that they retain access even if the account owners change the password.
Afterwards, GitHub said, they’ll access information from non-public repositories. Since then, the business has disabled numerous accounts that were found to be compromised. The passwords of all users who could have been affected have been reset.