A new hacking method lets attackers steal GitHub login tokens—the digital keys that let you access your account—with just one click. Security researchers found that hackers can trick developers into clicking a malicious link, which then grabs their full GitHub OAuth tokens without asking permission. OAuth tokens are passwords that let apps use your GitHub account on your behalf, so stealing them gives hackers the ability to access your code, make changes, and potentially damage your projects.
GitHub is a platform where millions of software developers store and work on code. When you use GitHub, you often connect it to other apps or services that need permission to access your account. This permission system uses OAuth tokens. Attackers discovered a gap in how GitHub handles these tokens that lets them steal the entire token through a trick rather than needing your password.
This puts any developer who works on GitHub at risk, especially those who use GitHub to connect to other services like cloud storage, continuous integration tools, or code deployment systems. If a hacker gets your token, they can impersonate you completely. They could delete projects, steal private code, inject malicious code into public projects, or use your account to attack other developers.
GitHub and security teams are working on fixes, but developers should act now. The main defense is to review what apps and services have permission to access your GitHub account and remove ones you no longer use. You should also enable two-factor authentication, which adds an extra security step when logging in. If you think your token was stolen, you can revoke it immediately from your GitHub settings, which forces you to log in again.