Git Coin Community SPAM

[nuxy]

Discussion Type

Product Feedback

Discussion Content

It seems that Github is now being used as a crypto spamming vehicle.

Couldn't this be mitigated by throttling Issue creation?

[Adit122022]

GitHub’s crypto spam problem is out of control, with millions of fake issues and PRs clogging up repos and notifications. Throttling issue creation—especially for new or suspicious accounts—could help slow the spam flood. GitHub already uses throttling to manage system abuse, so expanding it to issues and PRs makes sensegithub.blog+2.
Right now, spammers exploit the lack of limits, creating chaos before disappearing. Stricter throttling, paired with better spam filters, would give maintainers breathing room. It’s not a perfect fix, but it’s a practical step GitHub should take to protect its community. What’s your take—would this help, or is there a better way?

[pavelnikolov]

I got the same scam email from notification-on/gitcoin.com#97

📌 GitHub × Gitcoin Developer Fund 2025

Dear community,

We are excited to introduce the upcoming phase of the GitHub Developer Fund, a joint program with Gitcoin designed to highlight and support those who strengthen open-source technologies and digital public goods.

Your GitHub account qualifies for participation in this phase. We value every type of involvement — from occasional contributions to long-term commitment — as essential to shaping the future of open source.

Program overview:

Funding approach: Quadratic Funding, boosting community influence through a shared pool
Total allocation: $15,000,000 USDC
Eligibility: Active participation and potential future impact — open to everyday contributors and maintainers, not just project founders
Next step:
To secure your preliminary registration and confirm eligibility, please verify your wallet using Gitcoin Passport. This ensures fairness, protects against Sybil attacks, and never requests personal data. Verification takes under a minute: connect your wallet and sign a message.

Please note:
The authorization requires a refundable deposit, which will be fully returned after the process is completed.

📝 Continue with authentication and submission here:  https://github-foundation [dot] com <-- scam website

[Rishikesh63]

gitcoin-dev/gitcoin.com#24
same here

[d0nda]

always check online if something is legit or not and im glad i did just that 🫡.. and my email is being flooded with the same email

[ChengYour]

https://etherscan.io/tx/0x0c8d46ab00b84d2fd51f69af0dd1eabb3e5a52ed23b68a07c10c93cd896a79e4
I lost $7 😂

[d0nda]

yeah you ain't getting it back as they claimed on the email 😅😅

[ChengYour]

yeah, that was the money I used to buy lunch. Now I have to go hungry at noon.

[Cloudef]

Same scam here gitcoin-developers/gitcoin.com#54

[saghm]

I have an unread notification from git-coin-foundation-dao/gitcoin.com that I can't even see, presumably because the organization is private and I'm (obviously) not a member. My notification list is empty, showing "1-0 of 1" for the range at the top of the list. I've been getting spam about cryptocurrency giveaways for weeks, but I only noticed today that this seems to be coming from within Github.

From looking at the security settings on my account, there's no way to block an organization, only individual users, and I can't block a repo that I don't have permissions to see. The documentation on the support site indicates that to report an organization, I need to navigate to its page and click on a button, but that's clearly not possible when the organization is private. This seems like a fundamental issue with Github's permission model. Either they need to prevent people from interacting with users from contexts that aren't visible to the target of the interaction, or they need to provide a mechanism for users to opt-out of those interactions in some way. Otherwise, they're literally just giving spammers free use of their infrastructure.

[benjamincburns]

I wrote a script for removing the phantom notifications. You can find it here: https://github.com/orgs/community/discussions/6874?sort=new#discussioncomment-14481926

For future reference when you encounter another one of these you can report them by visiting the about page for the user in question (e.g. https://github.com/git-coin-foundation-dao) and clicking the "Block or Report" link that's located under their profile picture (just below the "Follow" button. git-coin-foundation-dao has already been banned so that link won't work, but the process works for users that haven't been banned yet.

[Visual-Studio-Coder]

I don't really understand why everyone's complaining... I just read the email I received in my inbox and I dont have any unread notification problems on GitHub.

[gongfuture]

I don't really understand why everyone's complaining... I just read the email I received in my inbox and I dont have any unread notification problems on GitHub.

Actually, I still have this issue :(

After ran the script by @benjamincburns , these notifications disappeared. Thanks a lot!

[muuvmuuv]

Same yes, I opened a ticket at https://support.github.com/ lets see if they fix that for future spam bots

[cmditch]

Very annoying. I have 9 or 10 of these phantom notifications as well.
You are the GOAT @benjamincburns! Thanks for taking the time to write up that script and share it out.

[bisectracky]

I have a similar issue: git-notify-co/gitcoin-co#446)

[mainrs]

gitcoindev-foundation/gitcoin.com#430

[YogevHend]

I got 2 spam mails recently for gitcoin and something else.

[innocentius]

Currently, I recieve a notification icon from that repo, yet I couldn't see anything, nor can I make the notification go away.

[omid-official]

As a workaround of the notification being hidden in the user interface, you can mark it as "done" by using the API:

gh api notifications | jq '.[] | { id, title: .subject.title, repo: .repository.full_name }'

Will list the notification you have received

From the above list, you copy the id of the notification you want to mark a "done", then you replace $THREAD_ID in the following command:

gh api --method DELETE notifications/threads/$THREAD_ID

I had the same problem.
It worked.
Thanks

[rootsongjc]

There is no notification now. Although the two repos had been deleted , they still show there.

[benjamincburns]

I wrote a script for this. It marks the notifications as "done" and unsubscribes so they won't appear in the repository list anymore. You can find the script here: https://github.com/orgs/community/discussions/6874?sort=new#discussioncomment-14481926

[rootsongjc]

@benjamincburns Thank you! It works well.

[guest271314]

So there's no way to do this using the GitHub UI?

[lfir]

Another one repo:gitcoindeveloperdao/gitcoin.com -____-

[saghm]

This doesn't help me at all with the issue I reported above because as I noted, I can't block or report the organization that's spamming me due to it being private. Plenty of other responses here show that I'm not alone in this.

I did get tagged by an additional public one since last night, which I've reported and blocked, but the other one is still there. Given that I have friends and colleagues who have not been spammed like this, it's fairly clear that I'm on some sort of targeted list being used for this sort of thing, and having to try to do Github's work for them to identify this sort of spam is unacceptable. There needs to be a way for me to limit the scope of who is allowed to tag me in arbitrary places I don't care about by people I don't know.

[PPPDUD]

*yawn*...

[rafalohaki]

I hate it grrrrrr

[SHA888]

I think GitHub and Gitcoin should take this seriously by make an official announcement about phising.

[afogue]

Got a notification from gitcoin-dev/gitcoin.com

[mtwzim]

Another one: Gitcoin-Engineer/gitcoin.com#491

[nvrdftd]

Finally, looks like it's been removed

[Nriver]

I’ve created an interactive Python script that removes spam notifications.
✅ No extra dependencies required – no gh cli needed, just a standard Python environment.

https://gist.github.com/Nriver/42feddd2a369a8f1519b47adb81ebef8

---

Demo

---

Results

Before:

After:

[PPPDUD]

LLM?

[ltq918]

The problem persists; clearing the notifications doesn't actually solve the issue. It requires you to constantly clear them, and you still need to remain vigilant; the phishing attempts continue.

[MushR00m]

I think it's funny. Is it difficult for the official to release a button to clean up the notification?

[theblang]

Just got another from paradigmcoo/paradigm

[electron0zero]

it keeps going, tho looks like repos have been taken down

[chandujr]

I'm also facing this issue. It is invisible:

They mentioned me in some repo which I didn't participate:

[bamjun]

https://github.com/orgs/community/discussions/174283#discussioncomment-14527039

you can use this

uvx fown noti delete -r

[malkia]

I'm seeing this too, but other (ycombinator/-co) too -

[OS-of-S]

Same problem.

[bamjun]

Same problem.

https://github.com/orgs/community/discussions/174283#discussioncomment-14527039
@OS-of-S
you can use this

uvx fown noti delete -r

[Firestar-Reimu]

I have the spam of gitcoinmember/gitcoinmember

[bamjun]

https://github.com/orgs/community/discussions/174283#discussioncomment-14527039

you can use this

uvx fown noti delete gitcoinmember/gitcoinmember -r

[bamjun]

🛠️ GitHub Notification Cleaner CLI

A simple CLI tool to delete GitHub notifications by repository.

---

🔐 Login

uvx fown auth login

Authenticate with your GitHub account.

---

🧹 Delete Notifications

uvx fown noti delete -r

Delete all notifications related to a specific repository.
You can use -r or --repo to explicitly set the target repository (owner/repo).

---

💡 Example

[kuolemaaa]

Is it really necessary?

Repositories
Public and private

This application will be able to read and write all public and private repository data. This includes the following:

    Code
    Issues
    Pull requests
    Wikis
    Settings
    Webhooks and services
    Deploy keys
    Collaboration invites

Note: In addition to repository related resources, the repo scope also grants access to manage organization attributes and organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.

[jxu]

The irony of a scam project to get rid of notifications of another scam project would be too funny
Although this account looks legit

[ltq918]

While cleanup tools can alleviate the problem temporarily, the real solution is for the developers to: Add filtering capabilities to the notification system.

However, it's unclear whether this is an official channel for reporting issues.

[lukeomatik]

another phantom notification from repo:plasmanotify/plasma.to

[emmanuel-ferdman]

A lot of folks have shared wholesome, creative ways to tackle the notifications mess - most of them wipe all notifications.
If you only want to clear only the ghost ones, then you can use the my tiny GitHub CLI extension until GitHub fixes the bug (🤞):

gh extension install emmanuel-ferdman/gh-gonest
gh gonest

You can find more information about it emmanuel-ferdman/gh-gonest.
Feedback and contributions are very welcome 🙏

[chandujr]

Github should fix this problem asap. Why should we use any third-party scripts to resolve Github's backend issue?

[sigma67]

I agree. It's pretty sad that these haven't been automatically deleted after two weeks.

[malkia]

@emmanuel-ferdman - Thank you so much for this!!!!

malkia@penguin:~$ gh gonest
[INFO] gh-gonest - GitHub Ghost Notification Cleaner
[INFO] Running as GitHub user: malkia
[INFO] Scanning for notifications...
[INFO] Found 1 total notifications
[INFO] Checking for phantom notifications...
[WARN] Found phantom: ycombbinator/-co - Issue: Y-Combinator W2026 | $15M Y-Combinator & GitHub
[INFO] Found 1 phantom notification(s)
[INFO] Cleaning phantom notifications...
[INFO] Cleaned: ycombbinator/-co
[INFO] Cleanup complete!
[INFO] Summary: Successfully cleaned 1
[INFO] Execution completed successfully

It cleared the ycombbinator/-co for me! THANK YOU!!!!

[emmanuel-ferdman]

Happy it worked! May your inbox stay ghost-free 🤞

[chandujr]

For those who don't want to install Github CLI just to solve this problem, you can use these curl commands.

To get unread notifications, run this command:

curl -H "Authorization: token PERSONAL_ACCESS_TOKEN" https://api.github.com/notifications | jq '.[] | { id, title: .subject.title, repo: .repository.full_name }'

Replace PERSONAL_ACCESS_TOKEN with that you get after creating a PAT (Classic) from here: https://github.com/settings/tokens
While creating it, select notifications scope for it. The above command will return an output like this:

{
  "id": "19183534144",
  "title": "Gitcoin | $15M Gitcoin Grants Returns",
  "repo": "gitcoini/gitcoincom"
}

Note the id and pass it onto this command:

curl -X DELETE -H "Authorization: token PERSONAL_ACCESS_TOKEN" https://api.github.com/notifications/threads/ID_HERE

This will clear that notification.