Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you’ve trusted for years.
Would you even think twice before clicking the link inside?

That’s exactly what attackers are banking on, and it’s working.

In the past week, many users received invitations that appeared to come from Y Combinator, sent from the legitimate GitHub.com domain—but these turned out to be fake.
How is that even possible?

Let’s dig in and unpack how this attack works.

About the author

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts