The “Seal of Approval” Trap: How Hackers are Hijacking GitHub and Jira Notifications
Ddos 
In a sophisticated shift in tactics, cybercriminals are increasingly weaponizing the trusted notification pipelines of major collaboration platforms like GitHub and Jira to deliver phishing and credential harvesting lures. A recent report from Cisco Talos reveals that attackers are moving away from traditional email infrastructure, instead utilizing a technique dubbed Platform-as-a-Proxy (PaaP) to bypass modern security defenses.
By sending malicious content directly through a platform’s legitimate mail delivery systems, these emails arrive with a “seal of approval” that satisfies standard authentication protocols like SPF, DKIM, and DMARC.
The campaign exploits the implicit trust organizations place in SaaS providers, with each platform serving a specific strategic purpose for the attackers.
On GitHub, the attack is a pure “notification pipeline” abuse. Attackers create new repositories and push commits with malicious payloads embedded directly in the commit messages.
The mandatory commit summary is used to craft a social engineering “hook”. Β The optional extended description field is used to house the primary scam content, such as fraudulent billing details or fake support numbers.
During a peak day in February 2026, Talos observed that approximately 2.89% of emails sent from GitHub were associated with this abusive activity.
The Jira vector focuses on “abuse of the collaborative invitation feature”. Because Jira is business-critical, its emails are rarely blocked, allowing attackers to mimic urgent internal IT or helpdesk alerts.
Attackers configure a Jira Service Management project with a deceptive “Project Name” (e.g., “Argenta”). When the platform sends an automated “Customer Invite,” it wraps the attacker’s fraudulent input within a “cryptographically signed, trusted email template”.
According to the report, “the trust paradox is now the primary driver of successful phishing and scamming”. While GitHub is used for its high developer reputation, Jira is exploited because employees are “pre-conditioned to treat [it] as urgent and legitimate”. In both scenarios, attackers use the platform’s own reputation to “launder their malicious content”.
Defending against PaaP attacks requires a fundamental shift in how security teams view SaaS traffic. Reactive, signature-based filtering is no longer enough when the gateway is “effectively blind to the malicious intent”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
