dunkirk.sh
the home site for me: also iteration 3 or 4 of my site
feat: add phishing blog post
+19
+19
content/blog/2025-10-24_github-phishing.md
+19
content/blog/2025-10-24_github-phishing.md
···
1
+
+++
2
+
title = "Novel phishing tactic using github notifications"
3
+
date = 2025-10-24
4
+
slug = "github-phishing"
5
+
description = "the creators certainly didn't execute this very well"
6
+
7
+
[taxonomies]
8
+
tags = ["phishing"]
9
+
+++
10
+
11
+
I received an email yesterday at `19:45 EST` titled `[yccombinator/-notification] Y-Combinator W2026 | $15M Y-Combinator & GitHub (Issue #126)`. From a quick glance it was easy to tell that it was a phising email funneling people to `https://y-comblnator.com/apply`. They did at least try to disguise the link but then there is a ton of whitespace and you can see that they tagged 32 github users including mine.
12
+
13
+
<!-- more -->
14
+
15
+
{{ img(id="https://hc-cdn.hel1.your-objectstorage.com/s/v3/47a842d35a86d6ac16d717b40ee69f2f801ff852_screenshot_2025-09-23_at_21.23.19.png" alt="a screenshot of the email" caption="I've never seen something simultaniously this stupid and (as far as i can tell) novel") }}
16
+
17
+
Like most phishing emails I doubt most people would fall for this but if you were moving quickly and not thinking straight maybe you could fall for this?
18
+
19
+
Cloudflare has blocked the site due to phishing by now (13:17 Sept 24th) which is a shame since I would have loved to dig into the site a bit.