{
	"id": "d1104919-1692-415e-9a2b-13cc2c61e40b",
	"created_at": "2026-04-06T00:18:51.635242Z",
	"updated_at": "2026-04-10T13:11:52.975522Z",
	"deleted_at": null,
	"sha1_hash": "76a9aeb57348478b931a85a53804816c47519a2a",
	"title": "New Gitloker attacks wipe GitHub repos in extortion scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2147368,
	"plain_text": "New Gitloker attacks wipe GitHub repos in extortion scheme\r\nBy Sergiu Gatlan\r\nPublished: 2024-06-06 · Archived: 2026-04-05 17:27:18 UTC\r\nAttackers are targeting GitHub repositories, wiping their contents, and asking the victims to reach out on Telegram for more\r\ninformation.\r\nThese attacks are part of what looks like an ongoing campaign first spotted on Wednesday by Germán Fernández, a security\r\nresearcher at Chilean cybersecurity company CronUp.\r\nThe threat actor behind this campaign—who has the Gitloker handle on Telegram and is posing as a cyber incident analyst—\r\nis likely compromising targets' GitHub accounts using stolen credentials.\r\nhttps://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSubsequently, they claim to steal the victims' data, creating a backup that could help restore the deleted data. They then\r\nrename the repository and add a single README.me file, instructing the victims to reach out on Telegram.\r\n\"I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we\r\nhave secured a backup,\" the ransom notes read.\r\nWhen BleepingComputer contacted GitHub earlier today for more details regarding the Gitloker extortion campaign, a\r\nspokesperson was not immediately available for comment.\r\nDozens of GitHub repos already impacted (BleepingComputer)\r\nAfter previous attacks against GitHub users, the company advised users to change their passwords to secure their accounts\r\nagainst unauthorized access. This should protect against malicious actions such as adding new SSH keys, authorizing new\r\napps, or modifying team members.\r\nTo prevent attackers from compromising your GitHub account and detect suspicious activity, you should also:\r\nEnable two-factor authentication.\r\nAdd a passkey for secure, passwordless login.\r\nReview and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations.\r\nVerify all email addresses associated with your account.\r\nReview account security logs to track repository changes.\r\nManage webhooks on your repositories.\r\nCheck for and revoke any new deploy keys.\r\nRegularly review recent commits and collaborators for each repository.\r\nCommonly targeted in data theft attacks\r\nThis isn't the first time GitHub accounts have been compromised to steal data from users' private repositories.\r\nAround March 2020, hackers also compromised the account of Microsoft, the developer platform's parent company since\r\nJune 2018, stealing more than 500GB worth of files from Redmond's private repositories.\r\nWhile the stolen files contained mostly code samples, test projects, and other generic items (nothing significant for\r\nMicrosoft to worry about), security experts were concerned that private API keys or passwords might have also accidentally\r\nbeen exposed in the breach.\r\nA now-notorious threat actor known as ShinyHunters also confirmed the inconsequential nature of the stolen data by leaking\r\nit on a hacker forum for free after first planning to sell the stolen files to the highest bidder.\r\nIn September 2020, GitHub warned of a phishing campaign targeting users to compromise their accounts. The campaign\r\nused emails pushing fake CircleCI notifications to steal their GitHub credentials and two-factor authentication (2FA) codes\r\nby relaying them through reverse proxies.\r\nGitHub said that the attackers almost immediately began exfiltrating data from victims' private repositories after the\r\ncompromise, adding new user accounts to the organizations to maintain persistence if it used management permissions.\r\nhttps://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/\r\nhttps://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/"
	],
	"report_names": [
		"new-gitloker-attacks-wipe-github-repos-in-extortion-scheme"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "821742ae-a498-49cd-8895-742c244c2552",
			"created_at": "2024-06-19T02:00:04.371571Z",
			"updated_at": "2026-04-10T02:00:03.650796Z",
			"deleted_at": null,
			"main_name": "Gitloker",
			"aliases": [],
			"source_name": "MISPGALAXY:Gitloker",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434731,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76a9aeb57348478b931a85a53804816c47519a2a.pdf",
		"text": "https://archive.orkl.eu/76a9aeb57348478b931a85a53804816c47519a2a.txt",
		"img": "https://archive.orkl.eu/76a9aeb57348478b931a85a53804816c47519a2a.jpg"
	}
}