Mass Phishing Emails Pretending to Be Y Combinator Right Now

Posted3 months agoActive3 months ago

Tremeschin

65 points

31 comments

Techstory

heatednegative

Debate

20/100

PhishingGithubY Combinator

Key topics

Phishing

Github

Y Combinator

Just received quite a smart phishing email/notification coming from "GitHub" by a user created less than a week ago (1) which is currently creating multiple issues a minute tagging many random usernames in a repository (2) with a "ycombinatornotify" app (3). The usual - asking to verify wallets, deposit for authorization as I've been selected for funding, etc. All issues contains the content of the email received, so I'll not paste them here (they're gone, but still, a bad idea to paste it).

- (3m in) They seem to have been rate limited or reached a target of 500 issues

- (5m in) Repository was just taken down, hope they automate back a warning

- They have typo-squatted the "y-comb[l]nator [dot] com" domain (with hyphen and L)

Quite urgent actions are needed to stop it, or warn the affected. Will update the submission with more information as time goes.

- [1]: https://github.com/ycombinato/

- [2]: https://github.com/ycombinato/rorg/

- [3]: https://github.com/apps/ycombinatornotify

A mass phishing campaign is targeting users by pretending to be Y Combinator, using GitHub to spread malicious emails and notifications, prompting a swift response from the community and GitHub.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

Peak period

0-3h

Avg / period

4.4

Comment distribution31 data points

Loading chart...

Based on 31 loaded comments

Key moments

01Story posted
Sep 23, 2025 at 4:52 PM EDT
3 months ago
Step 01
02First comment
Sep 23, 2025 at 4:55 PM EDT
2m after posting
Step 02
03Peak activity
14 comments in 0-3h
Hottest window of the conversation
Step 03
04Latest activity
Sep 25, 2025 at 3:57 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (31 comments)

Showing 31 comments

rolph

3 months ago

1 reply

you should email hn@ycombinator.com attn: Dang

tomhow

3 months ago

1 reply

Thanks, but it's a YC security issue not an HN/dang issue – security@ycombinator.com!

rolph

3 months ago

1 reply

it seems that i have very recently aquired some new links in my footer, one of them is what your mentioning.

either its something i have changed on this particular agent, somthing changed on HN, or a newly aquired feat due to accumulated X.P.

thanx for pointing at it.

gnabgib

3 months ago

1 reply

Security's been in the footer for ages (as you can perhaps tell from the log), and it's visible without being logged in (0 karma)

rolph

3 months ago

ah so its just some tweaking of the filtering at my side.

Bender

3 months ago

2 replies

Be sure to email this to Daniel dang hn@ycombinator.com and flag the email as high priority. Be sure to include all the email headers.

Also report it to github [1] and the Feds [2] in the off chance someone takes it seriously. Be sure to include all the email headers here too.

[1] - https://docs.github.com/en/communities/maintaining-your-safe...

[2] - https://www.ic3.gov/

TremeschinAuthor

3 months ago

Thanks! Just wrote them a warning and forwared the original message.

tomhow

3 months ago

Thanks, but it's a YC security issue not an HN/dang issue – security@ycombinator.com!

domdfcoding

3 months ago

1 reply

Still at it with a different repo and app that hasn't (yet) been nuked, but I have reported to GitHub.

domdfcoding

3 months ago

The repo, the app, and the user account behind each have now all been nuked by GitHub.

gbrayut

3 months ago

1 reply

Worth reporting the phishing domain(s) so they can potentially be red-banned https://safebrowsing.google.com/safebrowsing/report_phish/

mulka

3 months ago

Done :-)

its-all-waves

3 months ago

1 reply

Add "ycombinatoor" to the list

muhuk

3 months ago

Also `ycombbinator/-co`

e1g

3 months ago

1 reply

To remove resulting notifications, see instructions here https://github.com/orgs/community/discussions/174283#discuss...

These spam repositories have been deleted, but I still had lingering notifications stuck on GitHub, and I couldn't see them in the UI to remove them (but the small blue notification dot was constantly on). The API hack resolved this problem.

jakesomething

3 months ago

Came here looking for this. Thank you - removed the annoying blue notification now.

shakibamoshiri

3 months ago

Got it this morning both mail INBOX and Github notif

sdpy

3 months ago

I've received it from ycoommbinator/-co

om8

3 months ago

Also got it, found this thread by googling "ycombiinator"

WeMoveOn

3 months ago

I just got it a few mins ago

tomhow

3 months ago

Thanks, we're getting a lot of emails about this to hn@ycombinator.com.

The best email address for anything like this is security@ycombinator.com, as they handle security issues for all of YC, including applications.

Thanks everyone for letting us know about this.

yb0000

3 months ago

I almost thought it was real, since I’ve never received an actual email from YC. Can anyone share how to apply to YC and what the notification process looks like if you’re selected?

aanet

3 months ago

I also received the notification / phishing attack.

Have reported it to Github

TremeschinAuthor

3 months ago

And another round of mass user tagging at a 'gitcoin-org' username, same message vibe, stopped at 500 issues. This is now a GitHub's duty I assume. Potentially more, I see a couple different names on r/github. Yup, via https://github.com/orgs/community/discussions/174283

mulka

3 months ago

Stil active repo with issues: https://github.com/ycommbbinator/-co/issues

britta

3 months ago

For anyone at GitHub looking at this thread: please update your documentation page about how to report abuse (https://docs.github.com/en/communities/maintaining-your-safe...). I tried to follow the instructions, but I ran into a bunch of dead ends that slowed me down - I couldn't find the report abuse buttons for issues, comments, or repositories, only for the user profile page. I'm on Chrome on a Mac laptop, logged into GitHub.

Also, on the report abuse page that I got to from the user profile page, the green submit button is nearly hidden by the grey footer, even when I scroll the page around and complete the captcha.

mavdotj

3 months ago

Just got one a minute ago from ycombinator-notify/ycombinator and a bot named mail-notifaction-automatic

DaxSudo

3 months ago

Yea I just saw this notif on my GH app.

wonger_

3 months ago

How will this kind of attack be prevented in the future?

tfarias

3 months ago

I got it too from yccombinator/-notification. They keep trying with different account/repo names.