GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface.

GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management.

“We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub. Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts,” said Mason Davis, Staff Security Engineer at Praetorian.

Architecture overview

Authentication Server:

Flask-based HTTPS endpoint with device code flow implementation

Comprehensive token capture with visitor analytics

Email allowlisting and access control

GitHub Pages Deployment Engine

Automated repository creation and Pages configuration:

Professional template system with multiple presets

Real-time deployment status monitoring

Integration with authentication server endpoints

Administrative Interface

Web-based management dashboard:

Real-time monitoring and analytics

Deployment orchestration and control

Audit logging and reporting

GitPhish is available for free on GitHub.

