Fake GitHub / GitLab developer account security phishing — impersonates GitHub, GitLab, Bitbucket, or npm claiming unauthorized access, account compromise, or suspended account — driving to a credential-harvest page that captures developer credentials giving access to SSH keys, API tokens, private repos, and CI/CD secrets; Proofpoint 2024: GitHub is the most impersonated developer platform brand; phishing surged 250% after 2023 credential-stuffing campaigns targeting OSS maintainers

Phishing emails impersonating GitHub, GitLab, Bitbucket, or npm claiming that the developer's account has been accessed without authorization, suspended, or compromised — driving to a credential-harvest page that captures the developer's login credentials, giving the attacker access to SSH keys, personal access tokens, private repositories, CI/CD pipeline secrets, and npm publish rights. Key facts: (1) Proofpoint 2024: GitHub is the most impersonated developer platform brand in email phishing campaigns; phishing targeting developer accounts surged 250% in the months following major 2023 credential-stuffing campaigns that leaked developer credentials from multiple breached services; (2) Developer accounts are uniquely high-value targets: a single GitHub account may control SSH keys to production servers, personal access tokens with repo-write and packages-publish scope, private repos containing proprietary code and infrastructure secrets, Dependabot configurations with access to CI/CD tokens, and npm packages downloaded millions of times per week by other developers — supply chain attack potential is enormous; (3) The "account compromised" pretextual hook is highly effective for developers, who are security-aware enough to act on security alerts but busy enough to click quickly without verifying the sender domain; the emails mimic GitHub's exact email format, typography, and "Review the recent sign-in" CTA structure; (4) Legitimate GitHub, GitLab, and Bitbucket security notifications arrive only from their verified domains (noreply@github.com, gitlab.com, bitbucket.org) and link directly to the platform's security settings — they never direct users to third-party verification pages or request password re-entry outside the official domain. Warning signs: sender not github.com, gitlab.com, bitbucket.org, or npmjs.com; urgency about account deactivation or repository loss; link to non-official credential page; no reference to specific recent security events, commit history, or SSH key fingerprint.