A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.

Y Combinator is a startup accelerator that funds and mentors projects in their early stages, and connects founders with a network of alumni and venture capital firms.

The attacker abused GitHub’s notification system to deliver the fraudulent messages, by creating issues across multiple repositories and tagging targeted users.