Fake GitHub deploy-key rotation lure — "[GitHub] Your repository deploy key expires in 48 hours" GitHub-noreply spoof; CTA installs attacker SSH public key via UI link. Sender NOT on the GitHub canonical-allowlist (github.com, githubapp.com, githubusercontent.com, github.io, githubcopilot.com, githubenterprise.com). Real GitHub deploy-key UI is at github.com/{org}/{repo}/settings/keys — never reachable via inbound email link demanding new SSH-pubkey install. Distinct from R6 SSO migration (auth-flow) — this signal is specifically the org-level repo-trust takeover precursor. Supply-chain breach precursor: attacker SSH pubkey on org repo → CI/CD code-injection → downstream npm publish takeover. Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).

Fake GitHub deploy-key rotation lure targeting repository owners + organization admins + CI/CD operators. The phish narrative arrives as: "[GitHub] Your repository deploy key for octocat/hello-world will expire in 48 hours. Click below to install the new SSH public key on your repo settings → Deploy keys to maintain CI/CD access," or "Per GitHub policy update, your organization deploy keys must be rotated within 48 hours. Add the new SSH public key to your repository settings → Deploy keys section to avoid CI/CD interruption." Lookalike GitHub-noreply portals harvest the user into installing an attacker-controlled SSH public key on the org repo (which then allows the attacker SSH access to clone, push, modify CI workflows, and inject malicious code into the build pipeline) plus harvest GitHub PAT (Personal Access Token) / SSO credentials / organization-admin sessions. Org-level repo-trust takeover — supply-chain breach precursor: attacker SSH pubkey on org repo → CI/CD code-injection → downstream npm publish takeover (cf. tj-actions / reviewdog 2025 incidents) → end-customer compromise at scale. Real GitHub deploy-key UI is at github.com/{org}/{repo}/settings/keys — never reachable via inbound email link demanding new SSH-pubkey install. Real GitHub email notifications come from `noreply@github.com` with DKIM-aligned `email.github.com` envelope, never from a lookalike domain demanding deploy-key rotation under deadline pressure. Sender NOT on the GitHub canonical-allowlist (github.com, githubapp.com, githubusercontent.com, github.io, githubcopilot.com, githubenterprise.com). Distinct from R6 SSO migration (auth-flow) — this signal is specifically the org-level repo-trust / deploy-key pretext. Fires when body references GitHub / git-hub / GH-actions / GitHub Actions AND deploy key(s) / repository deploy key / repo deploy key / SSH deploy key / SSH (public) key / deploy-key (rotation/rotate/expir/expires/expiring/install/add) AND expir(e/es/ing/ed/y) / rotat(e/ed/ing/ion) / install / add / within N hours-days / 24 hours / 48 hours / deadline / action required / maintain / interruption / policy update urgency. Excludes the canonical GitHub domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).