A newly discovered tool named “GoIssue,” marketed on a prominent cybercrime forum, is bringing fresh concerns to the cybersecurity community with its ability to mine email addresses from GitHub profiles and send bulk phishing emails to targeted inboxes.
Discovered by SlashNext researchers, this tool, believed to be connected to the notorious GitLoker extortion campaign, highlights an alarming trend in phishing tactics that now threatens not only individual developers but entire organizations.
Security researcher Daniel Kelley warns that GoIssue’s capabilities could lead to far more than standard phishing incidents. Its potential extends to source code theft, supply chain vulnerabilities, and corporate network breaches, all through compromised developer accounts. For CISOs and security teams, this development reflects a larger shift, where platforms designed for code collaboration are becoming prime targets for cyber threats, particularly those using malicious OAuth apps to hijack repositories.
How GoIssue Operates
Unlike typical phishing tools, GoIssue appears to have been engineered specifically for the GitHub ecosystem, highlighting a shift in threat actors’ focus toward developer platforms. By harvesting email addresses from public GitHub profiles, GoIssue uses GitHub tokens to collect data based on parameters such as organization membership and stargazer lists. This information is then deployed in custom phishing campaigns that can bypass spam filters and precisely target communities of developers.
GoIssue’s advertising on the cybercrime forum lists a price tag of $700 for a custom build and an eye-watering $3,000 for full source code access, positioning it as a sophisticated tool in the dark market. According to the seller, who goes by the username “cyberluffy,” GoIssue includes advanced data collection features and uses proxy networks to shield the operator’s identity.
An Avenue for Attackers
The typical GoIssue attack sequence starts with email address harvesting, followed by mass phishing attempts designed to lure developers into clicking malicious links in seemingly legitimate GitHub notifications. These attacks could redirect users to:
- Credential-stealing phishing pages targeting GitHub accounts.
- Malware downloads that compromise the victim’s system.
- OAuth app authorization requests that give attackers access to private repositories and sensitive data.
The bulk-sending capabilities of GoIssue allow malefactors to scale their efforts, increasing the chances of successful breaches and potentially compromising thousands of developers and projects at once.
Ties to GitLoker and the Cyberluffy Connection
An investigation into GoIssue revealed connections to the GitLoker campaign, a series of GitHub-based attacks leveraging fake notifications to spread malicious OAuth apps. GoIssue’s seller, cyberluffy, identifies as a member of the GitLoker team on their Telegram profile, and the advertising thread references well-known security blogs that detail GitLoker’s tactics. This suggests that GoIssue may be either an evolution of GitLoker or a related tool, given their shared targets and methods.
While GitHub users may be the primary targets, the broader implications of GoIssue extend across the companies these developers work for. By compromising developers’ access to GitHub, attackers can penetrate trusted organizational channels, turning a developer’s trusted access into a liability that can expose critical business assets. For entities undergoing digital transformation initiatives, GoIssue is a potential risk to the very platforms that enable their innovation.
What the Experts are Saying
The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds, and security defenses must evolve rapidly to counteract this pervasive threat, comments Jason Soroko, Senior Fellow at Sectigo. “By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments. As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks. The bad guys know what they are doing. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community.”
Mika Aalto, Co-Founder and CEO at Hoxhunt, adds: “Any time the tools and relationships that we trust most are turned against us so easily and at such scale, it reminds us of the need for a proactive and adaptive approach to securing our people. As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters.”
Equally important, Aalto says human threat intelligence needs to be integrated into the center of the security stack. “A good Human Risk Management platform equips SOC teams with the tools to leverage human intelligence for accelerated detection and response. If you see something, say something, and make sure you have a behavior change platform that is designed to help you do something as quickly as possible.”
As malicious actors refine their methods, GoIssue is a wake-up call for developers, GitHub users, and the firms they support. The emergence of such sophisticated tools shows that phishing is no longer just an inbox nuisance—it’s a critical security threat that demands proactive defense measures.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.