A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.
Y Combinator is a startup accelerator that funds and mentors projects in their early stages, and connects founders with a network of alumni and venture capital firms.
The attacker abused GitHub’s notification system to deliver the fraudulent messages, by creating issues across multiple repositories and tagging targeted users.
When mentioning an account name in an issue, GitHub automatically sends a notification. Since the email comes from a legitimate source, it went straight to the inbox of intended recipients.
The lure used in the campaign was an invitation to apply to Winter 2026 Batch (W2026), the upcoming round of applications for YC funding, allegedly promising a total of $15 million.
For some repositories, developers reported seeing as many as 500 issues opened from a new user created just a week ago. At the end of the issue, the attacker mentioned a list of usernames to receive the notification.
BleepingComputer saw a list of around 30 targeted users and it doesn't appear to be a common ground for all of them, based on the projects they listed.
However, the attacker's goal was to steal cryptocurrency and it is more likely for a developer to have a digital wallet.
The phishing email sent from GitHub
Source: BleepingComputer
... continue reading