Two weeks ago, we published research on GitHub Device Code Phishing, a simple technique that can turn an eight-digit code and a phone call into a complete compromise of an organization’s GitHub repositories and software supply chain. While the concept is simple, executing these attacks often brings multiple layers of complexity, like building a convincing ruse and managing a 15-minute expiration period for each phishing attempt. To combat these challenges, we built GitPhish, a new tool for performing GitHub Device Code Phishing with dynamic device-code generation and automated landing page deployment, and today, we’re open-sourcing the project to the public.
Simplifying GitHub Device Code Phishing
OAuth 2.0 Device Authorization Grant implementations, also known as device code flows, typically provide a 15-minute window from when the user generates the user and device code pair until expiration. Leveraging these flows for Social Engineering means the attacker must actively generate the token while the user is on the hook and typically cannot scale this beyond one user at a time. Any attempts at asynchronous, scaled phishing require the attacker to rush the target into completing authentication, typically at the expense of the ruse quality, creating significant operational challenges for security professionals trying to validate their organization’s defenses.
GitPhish aims to solve most of these challenges through two core features:
- Professional Landing Pages on GitHub Pages: GitPhish fully automates the deployment of GitHub Pages to build instant credibility with targets and walk them through the Device Code login flow.
- Dynamic Device Code Generation: The platform generates device codes just in time, starting the clock on target interaction instead of when the attacker sends the lure
This second point enables red team operators to execute GitHub Device Code Phishing attacks across multiple targets without worrying about device code expiration.
GitPhish can be operated through either a command-line interface or a web dashboard, providing logging, analytics, and token management.
We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub. Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts.
GitPhish is available now as an open-source tool on GitHub. Installation requires Python, a GitHub personal access token, and takes minutes to set up. Security teams can clone the repository, run pip install ., start up the dashboard, and launch a professional landing page within minutes. The repository includes extensive documentation with real-world examples for red team and detection engineering scenarios.
Explore out GitPhish on GitHub: https://github.com/praetorian-inc/GitPhish
For a more hands-on overview, check out our webinar and demo of GitPhish in action.
BlackHat 2025
For security professionals looking to master advanced CI/CD attack techniques, we’re teaching “Pipeline to Pwn: Mastering Modern CI/CD Attack Chains” at BlackHat USA 2025 on August 2-3 and August 4-5. This hands-on training does a deep dive into numerous topics, including Pipeline Secrets Extraction, Self-Hosted Runner Abuse, and PwnRequests, alongside complete attack scenarios that progress from token exposure to full infrastructure compromise. Participants will gain practical experience with offensive techniques and defensive countermeasures in realistic lab environments.
