Ghost issues in deleted repos being misused for crypto spamming

[PierreFritsch]

Select Topic Area

Bug

Feature Area

Issues

Body

I got spam that was sent as a notification out of a GitHub issue. The notification originates from an organization/repo that seems to have been set up so that a bot can create issues and thus send automated notifications using a bunch of at-mentions at the bottom of the message.

The GitHub help explains that, to report an issue as spam, I should click on the Report content button, but the issue was already deleted (maybe as part of the spamming process?) and there's no such button on the 404 page...

Same about the repo and the organization: Both are deleted. Also, I cannot report the sender, it seems to be a bot ("auto-mail-to[bot]") so that I'm clueless about how to report that...

I'd expect a way to report spam on deleted issues / repos / organizations -- or to find out that, for a given issue / repo / organization, it's already been taken care of. The error 404 page does not indicate if the repo was deleted by the spamming script itself, or because someone else already reported it.

Related discussions :

• Scam/Phishing Alert: Fake GitHub Notification Email Impersonating Gitcoin Fund - The GitHub teams are working on taking down (another?) scam phishing campaign and automatically deleting the ghost notifications
• Spam with the keywords "git coin", "paradigm", "ycombinator" => Git Coin Community SPAM

Guidelines

• I have read the above statement and can confirm my post is relevant to the GitHub feature areas Issues and/or Projects.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[ilko-nikolov]

Just got the same email on my work email. My work account is @ tagged, along with many other accounts from the same alphabetical range.

[VinDuv]

I’ve got the same email; in my case, it was from issue 110 on the same repo. I guess GitHub limits the number of mentions per issue to 50, so the spammer had to create a bunch of identical issues in order to mention everyone.
Extrapolating from the issue number in the mail, I guess the spammer created ~120 issues and spammed ~6000 people.
One thing that bugs me is that GitHub says that I have an unread notification (the spam one), but it doesn’t display it and I can’t mark as read. This tells me that the repository may have been set to private instead of deleted (or maybe it was successfully reported and hidden from view while GitHub investigates?)

[dimateos]

Same, the notification can't be marked as read inside the notifications tab:

[freearhey]

As a temporary solution, you can mark all notifications as read via GitHub API:

1. First, you need to create a PAT with the “notifications” scope. (https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)
2. Send a request like this:

curl -H "Authorization: bearer $TOKEN" -X PUT -H "Accept: application/vnd.github.v3+json" https://api.github.com/notifications -d '{"read":true}'

[neverping]

As a temporary solution, you can mark all notifications as read via GitHub API:

1. First, you need to create a PAT with the “notifications” scope. (https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)

2. Send a request like this:

curl -H "Authorization: bearer $TOKEN" -X PUT -H "Accept: application/vnd.github.v3+json" https://api.github.com/notifications -d '{"read":true}'

I have installed the GitHub client (the gh command available here https://cli.github.com/) and the "one-line command" would be this:

curl -H "Authorization: bearer $(gh auth token)" -X PUT -H "Accept: application/vnd.github.v3+json" https://api.github.com/notifications -d '{"read":true}'

[nickofthyme]

Could also just do...

gh api /notifications -X PUT -f read=true

[stoilis]

Got the same. Issue link was plasma-ping/plasma.to#82

[itsjavi]

same issue, in my case the repo was ycombinatoor/ycombinator-co, if that helps

[akorutant]

Same for me:

[ping-plasma/plasma.to] Plasma Foundation | Over USD 2.4B TVL & 54.02% APY, XPL and Staking Rewards (Issue #154)

[pixleight]

Also got the crypto spam, from plasma-signal/plasma.to#234

[kn1ghtm0nster]

Just checked my notifications and I also got something similar. The difference is that I can't even see the repo period. No issue number mentioned or anything. Super weird but I guess time to change passwords...yay.

[patressz]

Same for me.

[nycnewman]

Seeing the same issue. Reported at Support ticket. Abuse process is not usable for this situation.

[apollo7321]

Same for me, no way to delete the notification.

[nycnewman]

Github Support have confirmed they have shutdown the cause of this issue.

[bjoernager]

I still can't get rid of the notification.

[apollo7321]

same here, it is still visible.

[Nikofaze009]

If the notification is stuck in your inbox, you can mark it read via the web UI (bell → Inbox → Done/Mark as read).

If the repo is gone and it won’t clear, you can use the API or GitHub CLI to mark the thread read:

gh api notifications?all=true | jq -r 'map(select(.unread) | .id)[]'
| xargs -n1 -I{} gh api -X PATCH notifications/threads/{}

(This just clears the notification; it doesn’t report the spam.)
Try this hope it works

[the-vampiire]

FYI for anyone else scrolling here. run the command from @mikecentola a few threads down.

if you run this one (the fixed version in the next thread) it will clear the notifications but the repos will be permanently stuck since you need their notification IDs to wipe them.

the extended command from @mikecentola will delete the notifications then output their IDs so you can use them to wipe the stuck repos on the sidebar

[Nikofaze009]

gh api notifications?all=true | jq -r 'map(select(.unread) | .id)[]' \
  | xargs -n1 -I{} gh api -X PATCH notifications/threads/{}

[apollo7321]

this actually worked, although I can still see the plasma.to repository in the sidebar.

thank you

[Nikofaze009]

Always at service 🙌

[itsjavi]

thanks! it also worked for me but had to quote the URLs

gh api 'notifications?all=true' | jq -r 'map(select(.unread) | .id)[]' \
  | xargs -n1 -I{} gh api -X PATCH 'notifications/threads/{}'

[Nikofaze009]

Awesome glad it worked for you!
Yeah quoting the URLs is a good call some shells can misread the ? if it’s unquoted.

[einarwar]

Got the same "stuck" notification, from plasma-network/plasma.to

[Nikofaze009]

Try the web UI first: click the bell -> Inbox, use the filters (for example is:unread) and choose Mark as read
/or Done.
If the repo is already deleted and the unread count won’t clear, you can use the GitHub CLI to mark it read

gh api 'notifications?all=true' | jq -r 'map(select(.unread) | .id)[]' \
  | xargs -n1 -I{} gh api -X PATCH 'notifications/threads/{}'

(This only clears the notification; it doesn’t report the spam.)

Report the abuse
Even if the repo/issue is gone, you can still report it at
https://github.com/contact/report-abuse.
Include any screenshots or links you have (even if they now return 404) so GitHub can track the spammer.

[mikecentola]

@Nikofaze009 I couldn't get yours to work, but I was able to both remove the notification and the repo from the list on the side with this:

gh api 'notifications?all=true' | jq -r 'map(select(.unread) | .id)[]'

gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/[INSERT_ID_FROM_ABOVE]

[apollo7321]

gh api 'notifications?all=true' | jq -r 'map(select(.unread) | .id)[]' does not return anything for me :(

[mikecentola]

@apollo7321 do you have jq installed on windows? Try running just the first part of the command in front of the pipe and put it into notepad or something and see if you can grab the ID that way.

[the-vampiire]

what a bummer. i tried @Nikofaze009 first and it did delete the notifications. but now i cant get the IDs to remove the repos 😭

[the-vampiire]

@apollo7321 i found a way to fix it for those of us who already cleared the notifications before seeing @mikecentola solution

https://github.com/orgs/community/discussions/174831#discussioncomment-14659923

[awolfson]

Thank you!!!

[TarasKovalenko]

For Windows users, you can use the next command:

gh api 'notifications?all=true' | ConvertFrom-Json | Where-Object unread | ForEach-Object { gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' "notifications/threads/$($_.id)" }

[gxanshu]

getting same issue

[mezotaken]

Solutions above deal with the notification, but they won't remove the repo subscription, hence it's stuck forever in "Repositories" list.
Tried to clear it with delete subscription api, it will only return 404, so idk how to deal with that.

[mikecentola]

The one I posted removed it from my repo list as well. Do you have multiples that you need to remove?

[Nikofaze009]

Unfortunately there’s currently no public API or UI action that can remove a subscription for a repo that no longer exists. GitHub has to clear those references internally.

[Nikofaze009]

Submit a report to GitHub Support via https://github.com/contact.

Choose Report a bug >“Notifications or subscriptions”.

Include the repo name (for example plasma-network/plasma.to) and mention that the subscription delete API returns 404.

Mention that it’s causing a stuck entry in your “Repositories” list, so they can manually clear it from your account.

There isn’t a client-side workaround for this yet, but support can remove the orphaned subscription on their end.

[the-vampiire]

this is a pain in the ass but for anyone else wanting to solve this themselves that cleared notifications before seeing @mikecentola solution.

get hidden repo names:

1. go to https://github.com/notifications
2. open dev tools / F12
3. paste this (using xpath so it should be portable)

Array.from(
  $x("html/body/div[1]/div[6]/main/div/div[2]/nav/div[1]/nav/nav-list/nav-list-group/action-list/div/ul")[0].childNodes
)
  .filter(e => !!e.attributes)
  .map(e => e.childNodes[1].childNodes[1].childNodes[0].data.trim())
  .join(',')`

if the xpath changes this <ul> is what you want to target, then just replace the $x(...)[] part with $0

6. the result should be all the owner/repo names in that sidebar as a CSV. i have already cleared mine so it only shows this community thread, yours will have the hidden repos too)

7. copy the CSV or remove any threads you want to keep so you end up with just the list of the hidden repos you want to remove then copy
8. copy the command below and replace PASTE_CSV_HERE with your CSV string from step 7.
9. IMPORTANT when you paste you need to change the single-quotes to double-quotes so its valid JSON for jq. if you dont do this you will get this error jq: invalid JSON text passed to --argjson

• when you copy from dev tools it will look like this: 'owner/repo,owner2/repo2,...' (single quotes)
• when you paste you need "owner/repo,owner2/repo2,..." (double quotes)
• so you will end up with ...jq --argjson repos '["owner/repo,owner2/repo2,..."]'...

single line for pasting

gh api 'notifications?all=true&participating=true' | jq --argjson repos '[PASTE_CSV_HERE]' '[ .[] | select(.repository.full_name | IN($repos[])) | {id, full_name: .repository.full_name} ]' | jq -r '.[] | "\(.id) \(.full_name)"' | while read id full_name; do echo "deleting notifications for $full_name"; gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/$id; done

split up for reading

gh api 'notifications?all=true&participating=true' \
  | jq --argjson repos '[PASTE_CSV_HERE]' '[ .[] | select(.repository.full_name | IN($repos[])) | {id, full_name: .repository.full_name} ]' \
  | jq -r '.[] | "\(.id) \(.full_name)"' \
  | while read id full_name; \
      do echo "deleting notifications for $full_name"; \
      gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/$id; \
    done

here is the exact command i ran with output:

gh api 'notifications?all=true&participating=true' | jq --argjson repos '["kamino-fi/kamino-finance","gitcoin-communlty/gitcoin-co","update-mail/gitcoin.com","gitcoindaoor/gg","yccombinator/-notification","paradigm-notification/paradigm","capital-paradigm/paradigm"]' '[ .[] | select(.repository.full_name | IN($repos[])) | {id, full_name: .repository.full_name} ]' | jq -r '.[] | "\(.id) \(.full_name)"' | while read id full_name; do echo "deleting notifications for $full_name"; gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/$id; done
deleting notifications for capital-paradigm/paradigm
deleting notifications for paradigm-notification/paradigm
deleting notifications for yccombinator/-notification
deleting notifications for gitcoindaoor/gg
deleting notifications for update-mail/gitcoin.com
deleting notifications for gitcoin-communlty/gitcoin-co
deleting notifications for kamino-fi/kamino-finance

result:

[oliver139]

Same here :(

[RampantDespair]

Yup, same thing on my end...

[BornToBeRoot]

Same issue

[gxanshu]

run

gh api 'notifications?all=true' | jq -r 'map(select(.unread) | .id)[]'

then whatever it returns put in next command

gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/<put-the-number-here>

this solved my issue in Fedora Linux. i think it will work everywhere just install GH cli

[BornToBeRoot]

Thanks!!!

Here a Windows/PowerShell version:

(gh api 'notifications?all=true') | ConvertFrom-Json | where {$_.unread -eq $true}

gh api --method DELETE -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' notifications/threads/<ID>