Possible Security Breach on Dependabot or Github

[anilgurses]

Select Topic Area

Bug

Body

Hi all,

As of this morning, I received the attached email from notifications@github.com. The email contains Bitcoin scam links. This email has been sent to the same thread with Dependabot. Either Dependabot has a breach or Github has it. Could you please provide information if there is a real breach? I can forward the mail if you'd like. Please let me know if you have any questions.

[billythekid]

Hi @anilgurses, thanks for posting this!

I appreciate your concern here and hopefully I can reassure you.

It looks like you've subscribed to notifications for PRs on a repository and an account has opened a PR or commented on a thread with off-topic spam. Your email client looks to be threading or grouping these as it's the notifications email address, but it's not all originating from dependabot.

We've seen some abuse like this and our security teams are working hard on stopping this sort of activity in its tracks so that we can keep our users from having to witness content like this. Unfortunately some of it makes it through the notifications system before we get it off the site but we're working on shoring this up too. (You might find by the time you visit the repo in question the content is nowhere to be found!)

I can reassure you that dependabot has not been breached and that this is a known area of abuse firmly on our radar, but thank you again for your diligence here and for striving to keep GitHub a safe space for all developers.

I'd encourage anyone who receives an email similar to this to ignore it and do not click any links. Users are always free to report abuse on the platform by following these instructions:

Reporting abuse or spam

Cheers,
Billy 🤠

[anilgurses]

Thanks Billy!