Fake GitHub / GitLab repository hosting subscription payment failed, organization repositories suspended, enterprise licenses disabled, or repository access no longer active phishing

Phishing emails impersonating GitHub or GitLab claiming the repository hosting subscription payment has failed, organization repositories are suspended or archived, enterprise licenses are disabled, or repository access is no longer active — directing victims to update billing through a credential-harvesting portal. A distinct attack category with uniquely broad reach: GitHub has 90+ million developer accounts (including 16,000+ GitHub Enterprise organizations at $21/user/month or $231/user/year) and GitLab has 30+ million registered users (2,500+ paying enterprise customers at $19-$99/user/month) — GitHub repository suspension phishing is credible to virtually every software developer who receives an email, regardless of whether they are the organization owner or billing contact, because repository suspension affects every engineer in the org simultaneously. Key facts: (1) GitHub's organization billing model creates specific targeting opportunities: GitHub Enterprise organizations pay per active member per month; when an organization's payment method expires, GitHub archives all private repositories — a 'GitHub organization repositories will be suspended' email timed around month-end (when GitHub bills) exploits the legitimate billing cycle timing; organization owners who have previously received genuine GitHub billing reminders are primed to respond to suspension warnings; (2) The repository archive/suspension hook is uniquely catastrophic for software teams: a GitHub organization suspension immediately prevents all members from pushing code, making pull requests, or running CI/CD workflows — the entire development pipeline stops; for companies where GitHub Actions runs their CI/CD, repository archiving also stops all automated testing, deployment pipelines, and release workflows; (3) GitLab's self-hosted + SaaS model creates additional targeting surface: GitLab Ultimate/Premium customers receive genuine license expiration emails; the 'licenses no longer active' hook for GitLab is particularly plausible because GitLab genuinely sends license renewal reminders for its instance licensing model; (4) GitHub and GitLab are deeply integrated into every engineering team's workflow — both platforms are authenticated via OAuth for dozens of third-party services (Vercel, Netlify, Linear, Jira, Slack, Heroku, CircleCI, Jenkins); a GitHub credential compromise gives attackers access to every service that has been authorized to 'Sign in with GitHub'; (5) GitHub and GitLab credentials expose the complete source code and CI/CD architecture: every private repository containing proprietary source code, all CI/CD pipeline configurations including deployment scripts and environment variable references, all GitHub Actions secrets and GitLab CI variables (which often contain cloud provider credentials, API keys, and database connection strings), branch protection rules and required reviewers revealing the deployment approval process, and the webhook configurations showing what external services receive push notifications. Warning signs: sender not github.com or gitlab.com; genuine GitHub billing at github.com/settings/billing; GitLab billing at gitlab.com/billing.