For anyone at GitHub looking at this thread: please update your documentation page about how to report abuse (https://docs.github.com/en/communities/maintaining-your-safe...). I tried to follow the instructions, but I ran into a bunch of dead ends that slowed me down - I couldn't find the report abuse buttons for issues, comments, or repositories, only for the user profile page. I'm on Chrome on a Mac laptop, logged into GitHub.
Also, on the report abuse page that I got to from the user profile page, the green submit button is nearly hidden by the grey footer, even when I scroll the page around and complete the captcha.
These spam repositories have been deleted, but I still had lingering notifications stuck on GitHub, and I couldn't see them in the UI to remove them (but the small blue notification dot was constantly on). The API hack resolved this problem.
I almost thought it was real, since I’ve never received an actual email from YC. Can anyone share how to apply to YC and what the notification process looks like if you’re selected?
And another round of mass user tagging at a 'gitcoin-org' username, same message vibe, stopped at 500 issues. This is now a GitHub's duty I assume. Potentially more, I see a couple different names on r/github. Yup, via https://github.com/orgs/community/discussions/174283
Thanks, we're getting a lot of emails about this to hn@ycombinator.com.
The best email address for anything like this is security@ycombinator.com, as they handle security issues for all of YC, including applications.
Thanks everyone for letting us know about this.
For anyone at GitHub looking at this thread: please update your documentation page about how to report abuse (https://docs.github.com/en/communities/maintaining-your-safe...). I tried to follow the instructions, but I ran into a bunch of dead ends that slowed me down - I couldn't find the report abuse buttons for issues, comments, or repositories, only for the user profile page. I'm on Chrome on a Mac laptop, logged into GitHub.
Also, on the report abuse page that I got to from the user profile page, the green submit button is nearly hidden by the grey footer, even when I scroll the page around and complete the captcha.
To remove resulting notifications, see instructions here https://github.com/orgs/community/discussions/174283#discuss...
These spam repositories have been deleted, but I still had lingering notifications stuck on GitHub, and I couldn't see them in the UI to remove them (but the small blue notification dot was constantly on). The API hack resolved this problem.
Worth reporting the phishing domain(s) so they can potentially be red-banned https://safebrowsing.google.com/safebrowsing/report_phish/
Done :-)
I almost thought it was real, since I’ve never received an actual email from YC. Can anyone share how to apply to YC and what the notification process looks like if you’re selected?
I got it too from yccombinator/-notification. They keep trying with different account/repo names.
How will this kind of attack be prevented in the future?
Be sure to email this to Daniel dang hn@ycombinator.com and flag the email as high priority. Be sure to include all the email headers.
Also report it to github [1] and the Feds [2] in the off chance someone takes it seriously. Be sure to include all the email headers here too.
[1] - https://docs.github.com/en/communities/maintaining-your-safe...
[2] - https://www.ic3.gov/
Thanks, but it's a YC security issue not an HN/dang issue – security@ycombinator.com!
Thanks! Just wrote them a warning and forwared the original message.
Stil active repo with issues: https://github.com/ycommbbinator/-co/issues
Also got it, found this thread by googling "ycombiinator"
I also received the notification / phishing attack.
Have reported it to Github
Add "ycombinatoor" to the list
Also `ycombbinator/-co`
Still at it with a different repo and app that hasn't (yet) been nuked, but I have reported to GitHub.
The repo, the app, and the user account behind each have now all been nuked by GitHub.
Yea I just saw this notif on my GH app.
And another round of mass user tagging at a 'gitcoin-org' username, same message vibe, stopped at 500 issues. This is now a GitHub's duty I assume. Potentially more, I see a couple different names on r/github. Yup, via https://github.com/orgs/community/discussions/174283
you should email hn@ycombinator.com attn: Dang
Thanks, but it's a YC security issue not an HN/dang issue – security@ycombinator.com!
it seems that i have very recently aquired some new links in my footer, one of them is what your mentioning.
either its something i have changed on this particular agent, somthing changed on HN, or a newly aquired feat due to accumulated X.P.
thanx for pointing at it.
Security's been in the footer for ages (as you can perhaps tell from the log), and it's visible without being logged in (0 karma)
ah so its just some tweaking of the filtering at my side.
I just got it a few mins ago