# kyriework.github.io — MALICIOUS > kyriework.github.io poses as a legitimate GitHub Pages site but is a credential theft page flagged by 15/95 VirusTotal vendors. Avoid entering any login details. ## Summary PhishDestroy identifies kyriework.github.io as an active credential theft page designed to harvest GitHub and other service credentials under the guise of a legitimate GitHub Pages site. This domain specifically mimics GitHub-hosted content to deceive users into entering login credentials, passwords, or two-factor authentication tokens into fraudulent forms that exfiltrate data to attacker-controlled servers. The page is hosted on GitHub’s infrastructure but does not belong to any legitimate GitHub user or organization, making it a classic supply-chain abuse scenario leveraging GitHub’s reputation to bypass initial scrutiny. Users who land on this page are immediately prompted to log in, at which point any credentials entered are transmitted to the attacker rather than GitHub’s authentication service. This technique exploits user trust in well-known domains and is particularly effective against developers, DevOps engineers, and IT professionals who frequently access GitHub. This domain was flagged by 15 out of 95 security vendors on VirusTotal, indicating elevated risk and widespread detection by endpoint, network, and email security tools. It is registered through GitHub, Inc., which is unusual for phishing domains typically registered through obscure or bulletproof registrars—this further highlights the abuse of legitimate hosting infrastructure. The domain resolves to IP address 185.199.108.153, part of GitHub’s Pages hosting network (185.199.108.0/22), which is commonly used for static site hosting. Despite using a Let’s Encrypt SSL certificate to appear legitimate, the mismatch between the certificate’s subject and the actual content provider (GitHub Pages vs. a third-party page) is a red flag. The certificate was issued for github.io, which is the legitimate root domain for GitHub Pages, but kyriework.github.io is a subdomain under the attacker’s control, creating a clear misalignment that browsers and security tools can detect. The combination of GitHub hosting, a valid but misused SSL certificate, and partial VirusTotal detection suggests this is an ongoing, evolving campaign likely using automated or semi-automated deployment to evade takedown. If you visited kyriework.github.io, do not enter any credentials or personal information. Assume your GitHub or related service credentials may have been compromised and take immediate action: change your GitHub password using a known good connection or device, enable two-factor authentication (2FA) if not already active, and revoke any suspicious OAuth tokens or SSH keys under your account settings. Review your GitHub account activity for unauthorized access, especially recent logins from unknown locations or devices. If you entered your GitHub credentials on this page, also check your email for any security alerts from GitHub, scan your local machine for malware, and monitor your accounts for signs of credential stuffing or data exfiltration. Avoid reusing passwords across services and consider using a password manager with breach monitoring. To protect others, report this domain to GitHub Support and your organization’s security team if it was accessed using a work account. Always verify URLs carefully and use bookmarks or trusted links for accessing GitHub or other sensitive services. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: GitHub, Inc. - IP: 185.199.108.153 ## Detection Status - VirusTotal: 15 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/2a88bacd-9458-4c4f-9faf-d34b12ce41a1 - PhishDestroy: https://phishdestroy.io/domain/kyriework.github.io/ - LLM endpoint: https://phishdestroy.io/domain/kyriework.github.io/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/kyriework.github.io/ Last updated: 2026-03-23