GitHub has been targeted by a phishing campaign that deceives users into clicking malicious links under the guise of account changes or unauthorized activity, leading to credential theft through fake login pages. The attackers exploit compromised domains and utilize tactics like URL-shortening and PHP-based redirects, aiming to capture credentials and bypass two-factor authentication unless hardware security keys are used. Once credentials are stolen, attackers may create personal access tokens or authorize OAuth applications to maintain access, often downloading private repository contents. GitHub is actively monitoring for phishing sites, filing abuse reports, and enhancing security features, encouraging users to reset credentials, use hardware security keys, and employ password managers for protection. Users are advised to verify URLs and report phishing attempts to GitHub Support, with several known phishing domains already identified and taken offline.