GitHub notifications abused to impersonate Y Combinator for crypto theft www.bleepingcomputer.com/news/secu…

A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.

Y Combinator is a startup accelerator that funds and mentors projects in their early stages, and connects founders with a network of alumni and venture capital firms.

The attacker abused GitHub’s notification system to deliver the fraudulent messages, by creating issues across multiple repositories and tagging targeted users.

When mentioning an account name in an issue, GitHub automatically sends a notification. Since the email comes from a legitimate source, it went straight to the inbox of intended recipients.