I've seen a recent surge in phishing attempts that post a markdown phishing message as an Issue in order to trigger GitHub to (legitimately) send an email that looks like a security warning to all repo followers.
For example: https://github.com/aojibril, https://github.com/transporindo, https://github.com/kirukatodrag
GitHub has long been bad at notifying me of anything. It’s usually nonstop spam from every repo I've ever interacted with. I wish they’d figure out how to filter down the noise to important notifications.