![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Samsung Galaxy Tab S11 runs Geekbench, here's the chipset it will use [Updated]](https://fdn.gsmarena.com/imgroot/news/25/06/samsung-galaxy-tab-s11-ultra-geekbench/-952x498w6/gsmarena_000.jpg)
![Apple’s latest CarPlay update revives something Android Auto did right 10 years ago [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/carplay-live-activities-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Everything new in Android 16 QPR1 Beta 2 [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/Android-16-logo-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![3DMark Launches Native Benchmark App for macOS [Video]](https://www.iclarified.com/images/news/97603/97603/97603-640.jpg)
![Craig Federighi: Putting macOS on iPad Would 'Lose What Makes iPad iPad' [Video]](https://www.iclarified.com/images/news/97606/97606/97606-640.jpg)
New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens
Cybersecurity researchers have identified a sophisticated new phishing campaign that exploits GitHub’s OAuth2 device authorization flow to compromise developer accounts and steal authentication tokens. This emerging threat represents a significant evolution in social engineering tactics, leveraging legitimate GitHub functionality to bypass traditional security measures and gain unauthorized access to source code repositories, CI/CD pipelines, and […] The post New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens appeared first on Cyber Security News.
Cybersecurity researchers have identified a sophisticated new phishing campaign that exploits GitHub’s OAuth2 device authorization flow to compromise developer accounts and steal authentication tokens.
This emerging threat represents a significant evolution in social engineering tactics, leveraging legitimate GitHub functionality to bypass traditional security measures and gain unauthorized access to source code repositories, CI/CD pipelines, and sensitive intellectual property.
The attack technique mirrors established Azure Active Directory device code phishing methods that have plagued enterprise environments for years, but now targets the developer ecosystem through GitHub’s platform.
Unlike conventional phishing approaches that rely on fraudulent websites or malicious links, these attacks abuse GitHub’s native device code authentication process, making them particularly difficult to detect and block using standard security controls.
Following recent high-profile supply chain attacks including the tj-actions incident, Praetorian analysts noted that GitHub access has become increasingly valuable to threat actors seeking to compromise software development pipelines.
The researchers identified that these device code phishing attacks have achieved success rates exceeding 90% when conducted via phone calls to developers, demonstrating the technique’s effectiveness against even security-conscious targets.
.webp)
The impact of successful attacks extends far beyond individual account compromises.
Once attackers obtain GitHub OAuth tokens with appropriate scopes, they can exfiltrate proprietary source code, access GitHub Actions secrets for lateral movement, execute malicious code on self-hosted runners, and potentially backdoor critical repositories to launch supply chain attacks affecting thousands of downstream users.
.webp)
The centralization of development infrastructure around GitHub has made these attacks particularly attractive to threat actors seeking maximum impact from minimal effort.
Attack Mechanism
The GitHub device code phishing process follows a methodical five-step approach that exploits the inherent trust model of OAuth2 device authorization.
The attack begins when threat actors generate device codes through GitHub’s OAuth API, typically requesting broad permissions including user, repository, and workflow scopes.
The following code snippet demonstrates the initial request:-
curl -X POST https://github.com/login/device/code \
-H "Accept: application/json" \
-d "client_id=01ab8ac9400c4e429b23&scope=user+repo+workflow".webp)
Attackers often utilize legitimate client IDs such as Visual Studio Code’s identifier (01ab8ac9400c4e429b23) to reduce user suspicion during the authorization process.
The server response includes a device code for token retrieval, a six-digit user code, the verification URL (https://github.com/login/device), and a 15-minute expiration window.
The social engineering phase involves convincing developers to navigate to the verification URL and enter the provided code.
Praetorian researchers have documented various successful pretexts, including impersonating helpdesk personnel claiming device registration updates are required or IT staff conducting security verification procedures.
Once victims complete the authentication flow and authorize the application, attackers retrieve the OAuth token using the original device code.
This token provides persistent access to the victim’s GitHub resources, enabling comprehensive reconnaissance and data exfiltration activities.
The technique’s effectiveness stems from its use of legitimate GitHub functionality, making it nearly impossible to distinguish malicious device code requests from genuine authentication attempts without additional context or behavioral analysis.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full acces
The post New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens appeared first on Cyber Security News.
