Is this a spam mail? And has my account been hacked?

[minirang]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Other

Body

When I woke up, I found three emails like this. One of them warns of a serious security risk and tries to get me to go to a share.google link, but I'm asking just in case. Was my account hacked? Was my token leaked? Do I need to change my password? I'm so confused and scared right now. Is there anyone who can help me?

[ayushcmd]

Your account is completely safe — you were not hacked.
When I read this, the first thing that came to my mind was my senior. He went through the exact same thing. When he told me about it I finally understood how convincing it looks because the email actually comes from notifications@github.com — GitHub's own domain, which is why it felt so real and official.
Here is what actually happened. A spam account created a fake repository, wrote a fake security alert Discussion with a made-up CVE number and researcher name, then mass @mentioned 30 plus random GitHub users including you. GitHub's own notification system delivered it straight to your inbox.
No token leaked. No breach. Nothing was compromised.
Just do not click that Google Drive link and report the repo forkjumperyank/VSCodeBuild-95589 to GitHub. My senior felt exactly the way you feel right now and he was completely fine. So are you.

[minirang]

Thank you so much! 😭