An enormous phishing marketing campaign focused GitHub customers with cryptocurrency drainers, delivered through pretend invites to the Y Combinator (YC) W2026 program.
Y Combinator is a startup accelerator that funds and mentors initiatives of their early levels, and connects founders with a community of alumni and enterprise capital corporations.
The attacker abused GitHub’s notification system to ship the fraudulent messages, by creating points throughout a number of repositories and tagging focused customers.
When mentioning an account title in a problem, GitHub routinely sends a notification. Because the e mail comes from a authentic supply, it went straight to the inbox of meant recipients.
The lure used within the marketing campaign was an invite to use to Winter 2026 Batch (W2026), the upcoming spherical of functions for YC funding, allegedly promising a complete of $15 million.
For some repositories, builders reported seeing as many as 500 points opened from a new consumer created only a week in the past. On the finish of the difficulty, the attacker talked about an inventory of usernames to obtain the notification.
BleepingComputer noticed an inventory of round 30 focused customers and it does not seem like a standard floor for all of them, based mostly on the initiatives they listed.
Nonetheless, the attacker’s objective was to steal cryptocurrency and it’s extra doubtless for a developer to have a digital pockets.
Supply: BleepingComputer
The recipients of those emails have been prompted to click on a hyperlink to use to YC’s upcoming funding program, and whereas the invitation could haven’t raised any suspicions, the web page’s area was a misspelled variant of the authentic YC, because the ‘i’ was changed with a decrease case ‘L’.
The fraudulent web page runs obfuscated JavaScript to immediate customers to confirm their pockets, claiming to make use of the EIP-712 + Ethereum Attestation Service.
Supply: BleepingComputer
“Throughout the course of, you might even see an ordinary withdrawal notification — this confirms your signature to document verification stamps on-chain. We assure that your property stay utterly safe,” claims the misleading message on the positioning.
In actuality, signing the verification authorizes malicious transactions, and the wallets are drained of the crypto property.
Supply: BleepingComputer
Following studies from the group to GitHub, IC3, and Google Protected Shopping, the fraudulent repositories have been eliminated. It’s unclear if any recipients of the fraudulent messages fell for the ruse and misplaced cryptocurrency.
Builders who related their wallets to the drainer web site and didn’t lose any cash ought to transfer their property to new wallets as quickly as doable.
The official and bonafide portal to be taught extra about making use of to YC’s Winter 2026 Batch funding cycle is on the market right here. The deadline to use for this spherical is November 10, and the batch will happen subsequent yr in San Francisco between January and March.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
