GitHub developers targeted by fake VS Code alerts spreading malware

News
By published

The 'Discussions' section is being manipulated

GitHub Webpage
(Image credit: Gil C / Shutterstock)
  • Socket uncovers large-scale GitHub spam campaign abusing “Discussions” notifications
  • Fake advisories with bogus CVEs trick developers into downloading malware via cloud-hosted links
  • Thousands of identical posts observed, showing coordinated effort to target developer credentials and projects

Cybercriminals are tricking GitHub into sending out fraudulent email notifications, luring software developers into downloading malware, experts have warned.

Security researchers Socket, who said they observed a large-scale, coordinated spam campaign targeting developers on various projects.

GitHub has a section called “Discussions”, which is essentially a forum for discussing various projects. When a developer participates in, or monitors a topic, they get notified via email when something gets posted.

Article continues below

Large-scale campaign

Now, Socket says criminals are posting fake advisories with titles such as “Severe Vulnerability - Immediate Update Required”. These advisories, often with fake CVE IDs, are posted by either brand-new accounts, or old, inactive ones likely stolen elsewhere.

Once the “warning” is posted, GitHub mails the participants who, if they don’t spot the trick, end up downloading malware. The advisories contain a link to “patched” versions of impacted VS Code extensions, hosted on Google Drive and other cloud storage services.

Clicking on the link sends the victim through a series of redirects, grabbing data along the way, and making sure to present malware only to validated victims. Hence, Socket was not able to download the final payload and thus does not know what it is. It’s safe to assume it is an infostealer, though, as software developers are often targeted for their access to valuable projects, or for cryptocurrency wallets they have installed in their browsers.

The campaign seems to be well-organized and rather large, Socket says. It casts a wide net, trying to infect as many GitHub users as possible.

“Early searches show thousands of nearly identical posts across repositories, indicating this is not an isolated incident but a coordinated spam campaign,” Socket said.

“Because GitHub Discussions trigger email notifications for participants and watchers, these posts are also delivered directly to developers’ inboxes.”

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.