By Daniel Kelley
Security Researcher

We recently uncovered GoIssue, a tool marketed on a cybercrime forum that allows attackers to extract email addresses from GitHub profiles and send bulk emails directly to user inboxes.

GoIssue signals a dangerous shift in targeted phishing that extends beyond individual developers to threaten entire organizations. 

This sophisticated tool, potentially linked to the GitLoker extortion campaign, represents more than just another phishing threat – it’s a gateway to source code theft, supply chain attacks, and corporate network breaches through compromised developer credentials. Learn how to defend against these types of phishing threats, schedule a demo.

For CISOs and security teams, its emergence highlights how development platforms have essentially become security battlegrounds, especially concerning its connection to attacks using malicious OAuth apps to hijack repositories. 

While GitHub users are the immediate targets, the implications ripple throughout organizations, turning trusted developer access into potential organizational vulnerabilities that could compromise entire digital transformation initiatives. 

What GoIssue Does

GoIssue represents a clear evolution in GitHub-focused attack tools, designed to orchestrate large-scale phishing campaigns while maintaining anonymity. 

At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria – from organization memberships to stargazer lists. 

Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities. To learn how to defend against GoIssue, schedule a demo.

The official advertisement for Goissue

Marketed to potential attackers at $700 for a custom build (or $3,000 for full source code access), GoIssue combines bulk email capabilities with sophisticated data collection features, all while protecting the operator’s identity through proxy networks. 

This approach allows attackers to move beyond simple email scraping to execute complex, targeted campaigns against the GitHub developer community. Buyers are encouraged to contact the seller, cyberluffy, through private messages on the forum or via Telegram.

How Attackers Could Use GoIssue

A typical GoIssue attack could begin with harvesting email addresses from public GitHub profiles, followed by mass phishing campaigns using fake GitHub notification emails. These spam-filter-evading messages would target developers’ inboxes with malicious links that could lead to:

1. A phishing page designed to steal login credentials.
2. A malware download that compromises the user’s device.
3. A rogue OAuth app authorization prompt that grants attackers access to private repositories and data.

GoIssue’s ability to send these targeted emails in bulk allows attackers to scale up their campaigns, impacting thousands of developers at once. This increases the risk of successful breaches, data theft, and compromised projects.

The Link to GitLoker Attacks

The contact information for GoIssue led us to cyberluffy, whose Telegram profile states, “Cyber D’ Luffy is a member of Gitloker Team.” This detail is significant because GitLoker is responsible for an ongoing campaign that uses GitHub notifications to push malicious OAuth apps.

The seller’s contact information which aligns with Gitloker

In the thread advertising GoIssue, the seller even links to high profile security blogs which detail and validate GitLoker attack efficacy, which targeted developers using GitHub notifications and phishing emails.

The GoIssue forum thread referencing cybersecurity blog articles

The connection between cyberluffy and the GitLoker Team suggests that GoIssue could be an extension of the GitLoker campaign or an evolved version of the same tool.

Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks. This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another.

If you’re a developer using GitHub, GoIssue is a red flag. Attackers now have tools that make phishing you easier and more effective. This isn’t just spam; it’s a potential entry point to taking over your account or projects. With GoIssue potentially linked to GitLoker, the threat is bigger than ever. For more information about GoIssue and how to defend against it, schedule a demo.

Defeat Phishing With SlashNext

To combat the growing threat of anti-bot technology, SlashNext offers a comprehensive solution. SlashNext Complete™ is an integrated cloud messaging security platform that detects threats in real-time across email, mobile, and web messaging apps with 99.99% accuracy.

SlashNext protects organizations from data theft and financial fraud breaches by providing integrated cloud messaging security for email, browser, and mobile. Our approach helps defend against the latest phishing tactics, including those leveraging advanced techniques.

Get protected and learn more about SlashNext Complete™.