Attack Chain

1. Repository Creation (GitHub): Attackers create new repositories on GitHub to host their malicious content.
2. Commit Message Crafting (GitHub): Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.
3. Commit Push (GitHub): Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.
4. Project Creation (Jira): Attackers create a new Jira Service Management project to configure automated customer invites.
5. Malicious Data Input (Jira): Attackers inject malicious lures into data fields, such as the “Project Name,” “Welcome Message,” or “Project Description” fields, within the Jira project configuration.
6. Customer Invite (Jira): The attacker utilizes the “Invite Customers” feature and inputs the victim’s email address.
7. Automated Notification Generation (GitHub/Jira): The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.
8. Credential Harvesting/Social Engineering: Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.

Impact

Abusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.

Recommendation

• Implement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: “GitHub Commit Message Phishing Lure” rule).
• Monitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: “Jira Service Desk Invite Abuse” rule).
• Review email logs for messages originating from noreply[@]github.com that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).
• Implement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.
• Educate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.