The GitLoker hacking group, known for hijacking GitHub repositories and extorting developers, has taken its operations to the next level with a new phishing tool called Goissue. Marketed as the “premier solution for efficiently extracting GitHub users and their emails,” this tool represents a dangerous escalation in targeted attacks against developers and their organizations.

Goissue: A Tool for Automated Exploitation

An actor going by the alias Cyber Luffy, who claims membership in the GitLoker Team, is offering Goissue for sale or rent. The tool enables attackers to harvest email addresses from GitHub repositories, extending phishing threats beyond individual developers to entire organizations.

Key features of Goissue include:

• Email address extraction from GitHub profiles, followers, stargazers, organizations, and custom queries.
• Customizable email templates for targeted phishing campaigns.
• Proxy support and token management to evade detection.
• Promised future updates to enhance its functionality further.

According to cybersecurity firm SlashNext, Goissue automates the phishing process, enabling attackers to scale their operations efficiently. This represents a significant risk of source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials.

The Threat: Beyond Email Harvesting

Attacks typically start with scraping email addresses from public GitHub profiles, followed by phishing campaigns that deliver spam-filter-evading malicious links. These links often lead to phishing pages designed to:

1. Steal developer credentials through fake GitHub login prompts.
2. Deploy malware onto targeted systems.
3. Trick users into granting rogue OAuth app authorization, allowing attackers access to private repositories and sensitive data.

Cybersecurity experts warn that this tool leverages the trust inherent in the developer community to launch large-scale attacks, posing a high risk to organizations reliant on GitHub and similar platforms.

Industry Experts Raise Concerns

• Mika Aalto, co-founder and CEO at Hoxhunt, highlights the need for proactive and adaptive security measures. “Attackers are using automation and advanced tools to exploit trust at scale. Organizations must equip their people with the instincts to recognize and report suspicious activity.”
• Jason Soroko, Senior Fellow at Sectigo, warns of a new battleground where trusted developer platforms are exploited for credential theft. “This tool weaponizes the openness of the developer community, creating a high-impact attack mechanism.”
• SlashNext, through reformed blackhat Daniel Kelley, calls Goissue a red flag. “This isn’t just spam; it’s a gateway to taking over your account or projects. With Goissue tied to GitLoker, the stakes have never been higher.”

A Call to Action for Developers and Organizations

To mitigate the risks posed by tools like Goissue:

1. Implement strong security measures such as two-factor authentication (2FA) for developer accounts.
2. Educate your teams on identifying phishing attempts and recognizing suspicious emails.
3. Monitor for unusual activity in GitHub repositories and OAuth permissions.
4. Stay updated on security patches and threat advisories from GitHub and other relevant platforms.

The rise of Goissue underscores the critical need for robust cybersecurity strategies to protect the developer ecosystem from exploitation.

Stay vigilant, stay secure.