Today’s Topics:
- Widespread GitHub Phishing Campaign Targets Developers with Fake “Security Alert” Issues
- Apache Tomcat Vulnerability Actively Exploited Within 30 Hours of Public Disclosure
- How can Netizen help?
Widespread GitHub Phishing Campaign Targets Developers with Fake “Security Alert” Issues
A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories by creating fake “Security Alert” issues designed to trick developers into authorizing a malicious OAuth app. This campaign, which was reported in March 2025, grants attackers full control over compromised GitHub accounts and the associated code repositories.
The phishing attack begins when a developer receives a “Security Alert” issue within their GitHub repository. The issue warns of an unusual login attempt from a specific location — Reykjavik, Iceland — and from the IP address 53.253.117.8. The message claims that the user’s account has been compromised and urges them to take immediate action, such as:
- Updating their password
- Reviewing and managing active sessions
- Enabling two-factor authentication (2FA)
To increase the sense of urgency, the phishing message includes a link to an OAuth app authorization page. Once the victim grants permissions to the malicious OAuth app, the attackers gain full access to the GitHub account, including the ability to:
- Modify or delete code repositories
- Steal intellectual property
- Create new repositories or issues
- Access private and sensitive data
- Launch further attacks using the compromised account
Cybersecurity researcher Luc4m first identified the campaign and reported it publicly. The attack appears to be well-coordinated, as the identical phishing message has been distributed across thousands of repositories. The use of OAuth app authorization allows attackers to bypass traditional login protections, including 2FA, as OAuth tokens remain valid even if the user’s password is changed.
GitHub and security experts have recommended that affected developers take immediate action, including:
- Revoking OAuth tokens associated with unknown or suspicious apps.
- Changing account passwords and enabling two-factor authentication.
- Reviewing authorized OAuth apps and removing any that are unfamiliar or unnecessary.
- Monitoring repository activity for any unauthorized changes or access.
GitHub is working to identify and remove the malicious issues and is advising developers to stay vigilant against similar social engineering attempts.
Apache Tomcat Vulnerability Actively Exploited Within 30 Hours of Public Disclosure
A newly disclosed security flaw affecting Apache Tomcat has been actively exploited in the wild just 30 hours after the release of a public proof-of-concept (PoC). The vulnerability, tracked as CVE-2025-24813, poses a significant threat as it enables remote code execution (RCE) or information disclosure under specific conditions.
The vulnerability impacts multiple versions of Apache Tomcat, including:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
This broad version range indicates that many production environments using Apache Tomcat could be exposed to attacks if not promptly patched.
The vulnerability arises from a misconfiguration involving the handling of HTTP PUT requests and file uploads. Successful exploitation requires a combination of the following conditions:
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads
- Attacker knowledge of the names of security-sensitive files being uploaded
If these conditions are met, an attacker could craft a malicious request that bypasses security controls and gains unauthorized access to sensitive files or executes remote code on the target system.
Remote code execution vulnerabilities in widely used servers like Apache Tomcat are particularly dangerous because they provide attackers with a direct pathway to compromise critical systems. Once exploited, attackers can execute arbitrary commands, escalate privileges, install backdoors, and move laterally across networks. This could lead to data breaches, system disruptions, and potential exposure of sensitive information.
Apache has released security patches to address CVE-2025-24813. Organizations using vulnerable versions of Apache Tomcat should immediately:
- Update to the latest patched version of Apache Tomcat.
- Disable support for HTTP PUT requests unless explicitly needed.
- Restrict public access to sensitive file upload paths.
- Implement strict access controls and monitoring to detect any suspicious activity.
Patching and securing Apache Tomcat environments is critical to minimizing the risk of exploitation and safeguarding sensitive data and systems.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
