Security alert: new phishing campaign targets GitHub users

GitHub Security identified a phishing campaign where threat actors impersonated CircleCI to trick GitHub users into providing their login credentials and two-factor authentication codes, affecting many organizations despite GitHub itself not being compromised. The phishing scheme involves deceiving users with messages about expired CircleCI sessions, redirecting them to a fake GitHub login page to capture credentials, and using stolen credentials to create personal access tokens, authorize applications, or download private repositories. While accounts protected by hardware security keys remain secure, those using TOTP-based 2FA are vulnerable. GitHub's response involved resetting passwords, removing unauthorized credentials, notifying affected users, and suspending threat actor accounts. To mitigate risks, users are advised to employ hardware security keys or browser-integrated password managers and verify URLs before entering credentials. GitHub continues to monitor the situation, addressing new phishing domains and advising users to report suspicious activities for ongoing security.