Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

GitPhish – OAuth Device Code Phishing for GitHub Repos, Secrets, and CI/CD

Views: 1,152

GitPhish is an automated tool that exploits GitHub’s OAuth device code flow to gain unauthorised access to user accounts. Developed by Praetorian, it demonstrates how attackers can use legitimate GitHub functionality to trick users into granting access to repositories, secrets, and CI/CD pipelines.

GitPhish - OAuth Device Code Phishing for GitHub Repos, Secrets, and CICD

The attack does not rely on spoofed login pages. Instead, it generates real device codes through GitHub’s API, delivers them through custom GitHub Pages sites, and captures the resulting OAuth tokens once a user approves the request.

GitPhish will be publicly released on June 26, 2025.

Overview

GitHub’s device code flow allows devices without a browser to authenticate users via a separate interface. Users are asked to go to https://github.com/login/device and enter a code to complete the login. This mechanism is designed for ease of use but introduces a phishing opportunity: if an attacker can convince a user to enter a malicious device code, they gain full access granted by that token.

GitPhish automates this attack chain.

Key Features

  • Generates GitHub OAuth2 device codes automatically
  • Hosts phishing payloads on GitHub Pages
  • Captures and stores valid OAuth tokens upon successful user authorisation
  • Provides access to private repositories, secrets, GitHub Actions, and CI/CD integrations
  • No need for password interception or fake login forms

Security Implications

This technique is currently not preventable by GitHub organisation policies. The device flow cannot be globally disabled. Most developers will not recognise malicious code or a delivery URL if it appears to come from GitHub infrastructure.

Security teams should review GitHub OAuth usage, revoke unnecessary tokens, and regularly audit external application authorisations. Additional monitoring should be in place for unusual authorisation events.

Installation and Usage

GitPhish is expected to be released under an open-source license on June 26. Installation will likely follow standard Python-based toolchain procedures. Based on the pre-release write-up, usage will follow a workflow similar to the one shown below.

# Clone the repository
git clone https://github.com/praetorian-inc/gitphish.git
cd gitphish

# Install dependencies
pip install -r requirements.txt

# Launch phishing server and generate new device code
python gitphish.py --start

# Monitor incoming OAuth tokens
tail -f logs/tokens.log

More detailed usage documentation will be available upon release.

Mitigation Recommendations

  • Enforce GitHub SSO wherever possible
  • Regularly audit OAuth applications and tokens via the GitHub API
  • Train developers to avoid authorising unsolicited device login requests
  • Consider limiting developer GitHub access from unmanaged endpoints

You can read more here: Introducing: GitHub Device Code Phishing

Related Posts:

Share
Tweet
Share
Buffer
WhatsApp
Email