Disaster averted, as Sawfish phishing campaign sets alarm bells ringing

DeepSource breach resets user login credentials after employee GitHub account compromise

DeepSource, an India-based provider of automated code analysis services, has rotated all user tokens, client secrets, and private keys after learning that an employee’s GitHub account was compromised.

In a security advisory published yesterday, DeepSource co-founder Jai Pradeesh said the GitHub security team contacted the company on July 11 with news that they were tracking potentially malicious activity related to the DeepSource GitHub application.

“The GitHub Security team had observed a large number of requests from unusual IP addresses for many distinct DeepSource users starting in mid-June, which stood out as anomalous,” Pradeesh explained.

“By 7AM UTC, we had rotated all user tokens, client secrets and private keys. Since we didn’t know the origin of the attack, we also rotated all credentials and keys of employees who had access to production systems.”

Sawfish bares its teeth

After investigating the issue, the GitHub security team identified the source of the compromise on July 16.

“One of our employee’s GitHub account was compromised by the Sawfish phishing campaign that targeted GitHub users,” said Pradeesh, “and the attacker gained access to DeepSource GitHub app’s credentials.”

Discovered earlier this year, Sawfish is a spear-phishing campaign that specifically targets GitHub users.

INSIGHT A guide to spear-phishing – how to protect against targeted attacks

As explained in an advisory published in April, the Sawfish campaign involves emails claiming that a repository or setting in a GitHub user’s account has changed, or that unauthorized activity has been detected.

“The message goes on to invite users to click on a malicious link to review the change,” the GitHub security team warns.

“Clicking the link takes the user to a phishing site mimicking the GitHub login page, which steals any credentials entered.”

Investigation complete

Following an internal investigation, DeepSource said it has not identified any unusual breach or behavior, and concluded that the company’s infrastructure has not been compromised.

“We have always taken great care to ensure DeepSource meets the security needs of our users,” Pradeesh said.

“While the DeepSource application itself did not suffer a weakness in this situation, we are taking the steps listed above to ensure the security of our applications, our teams, and your data.

“We appreciate GitHub’s swift response to this issue.”

DeepSource was established in December 2018 with backing from numerous VC organizations.

RECOMMENDED GitHub’s Nico Waisman: ‘Security is not just an opportunity, but a responsibility for us’