Using GitHub API to Remove Phishing Notifications

Manage unwanted GitHub notifications, particularly phishing attempts that can’t be deleted through the web interface. Details the installation and use of GitHub CLI and jq for effectively finding and deleting notifications via the GitHub notifications API.

Image illustrating GitHub targetted phishing attacks

It’s so frustrating to see inbox badges for notifications that are actually phishing attempts from bogus repositories. The GitHub web interface doesn’t allow you delete them (or even view them) once they’ve been discovered. So how do you delete GitHub inbox items which you cannot see? Here’s how to use the GitHub notifications api. 

Install the Tools

You’ll need the GitHub cli, and jq.

For Windows users, you could use winget in Powershell. I’ve been using Windows again, after using Macs for a long time and spending years using Unix/Linux hosting environments.

I’ve decided I like using winget for upgrades and installations over the download and installation through .exe,  .msi and UI (Windows Updates). I try to avoid the variety of installers (brew, pip, uv, npm, etc) and I like the simplicity of winget as an analog to apt-get. 

> winget install --id GitHub.cli -e
Documentation for installing GitHub cli

You can see more about the installation instructions at https://github.com/cli/cli#installation

> winget install --id jqlang.jq -e
Documentation for installing jq

You can see more about the installation instructions at https://jqlang.org/download

With winget and Powershell, you need to reopen your shell. You may be able to avoid that if you use this command to refresh your path.

$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")

Check that things are working by getting the version of each tool. 

> gh --version
gh version 2.80.0 (2025-09-23)
https://github.com/cli/cli/releases/tag/v2.80.0

> jq --version
jq-1.8.1

Authenticate the cli

When you first use the GitHub cli, you’ll need to authenticate with your GitHub account.

I found it confusing when looking for the authentication codes, which are in a pattern like [][][][]-[][][][] which is not your normal MFA code.

TIP: It’s actually printed on the command line right before the URL. 

I apparently am in the bad habit of NOT reading all the text that gets dumped to my terminal. 

Use the API to find/delete the notification

If you have other notifications, about PRs or other work, you’ll have to comb through the notifications to find the culprit. In my example, I only have one notification, and I remembered seeing it come across so I would recognize the weird repository anyway.

$ gh api notifications | jq '.[] | { id, title: .subject.title, repo: .repository.full_name }'
{
  "id": "19143550185",
  "title": "Y Combinator | $100M W2026 with GitHub [2025]",
  "repo": "ycombinatorrr/ycombinator-notification"
}

Then use the api to delete the notification by ID

$ gh api --method DELETE notifications/threads/19143550185

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.