+++ title = "Novel phishing tactic using github notifications" date = 2025-10-24 slug = "github-phishing" description = "the creators certainly didn't execute this very well"

[taxonomies] tags = ["phishing"] +++

I received an email yesterday at 19:45 EST titled [yccombinator/-notification] Y-Combinator W2026 | $15M Y-Combinator & GitHub (Issue #126). From a quick glance it was easy to tell that it was a phising email funneling people to https://y-comblnator.com/apply. They did at least try to disguise the link but then there is a ton of whitespace and you can see that they tagged 32 github users including mine.

{{ img(id="https://hc-cdn.hel1.your-objectstorage.com/s/v3/47a842d35a86d6ac16d717b40ee69f2f801ff852_screenshot_2025-09-23_at_21.23.19.png" alt="a screenshot of the email" caption="I've never seen something simultaniously this stupid and (as far as i can tell) novel") }}

Like most phishing emails I doubt most people would fall for this but if you were moving quickly and not thinking straight maybe you could fall for this?

Cloudflare has blocked the site due to phishing by now (13:17 Sept 24th) which is a shame since I would have loved to dig into the site a bit.