A large-scale phishing campaign is targeting software developers on GitHub, using fake Visual Studio Code security alerts posted in GitHub Discussions to trick users into downloading malicious software. <\/p>\n
The attacks are designed to look like legitimate security advisories, warning developers of critical vulnerabilities in VS Code and urging them to install a so-called \u201cpatched\u201d version through an external link.<\/a><\/p>\n The campaign surfaced through thousands of near-identical posts flooding GitHub repositories within minutes of each other. <\/p>\n Each post mimics an official security advisory, carrying alarming titles such as\u00a0\u201cVisual Studio Code \u2013 Severe Vulnerability \u2013 Immediate Update Required,\u201d\u00a0\u201cCritical Exploit \u2013 Urgent Action Needed,\u201d\u00a0and\u00a0\u201cSevere Threat \u2013 Update Immediately.\u201d\u00a0<\/p>\n The posts often reference fabricated CVEs and fake version ranges to make the warnings appear credible. <\/p>\n Since GitHub Discussions automatically trigger email notifications to repository participants and watchers, these fake alerts are also delivered directly to developers\u2019 inboxes, extending the campaign\u2019s reach far beyond the platform itself.\u00a0<\/p>\n Socket.dev analysts identified the campaign<\/a> as a coordinated spam operation, noting that posts were being created by newly created or low-activity accounts, tagging large numbers of developers across unrelated repositories for maximum exposure. <\/p>\n The researchers found that the campaign abuses GitHub\u2019s own notification system to make fake alerts appear both urgent and legitimate \u2014 a tactic that reduces a developer\u2019s natural skepticism when reading what looks like a trusted platform warning.<\/a><\/p>\n Each fake Discussion includes a link to download the supposed updated version of VS Code, but these links point to file-sharing services rather than official distribution channels. <\/p>\n Legitimate VS Code<\/a> updates are never distributed this way, yet the urgency built into these posts is enough to push developers into clicking without hesitation. <\/p>\n The attack blends smoothly into GitHub\u2019s collaborative environment, turning a developer\u2019s everyday workspace into a delivery channel for malware.<\/a><\/p>\n The scale of the campaign makes it particularly alarming. Hundreds to thousands of these posts appeared across GitHub search results in rapid succession, pointing to a heavily automated operation. <\/p>\n The fact that developers are being targeted inside a platform they trust daily, rather than through traditional phishing emails, marks a notable shift in how attackers approach developer-focused threats.<\/a><\/p>\n Socket.dev analysts traced one of the payloads linked in the fake Discussions and uncovered a carefully built multi-step redirection chain. Clicking the link first routes the victim through a Google share endpoint. <\/p>\n From there, the path splits based on whether the user\u2019s browser carries a valid Google cookie. Users with a cookie are automatically sent via a 301 redirect to the attacker-controlled domain,\u00a0drnatashachinn[.]com, which functions as the campaign\u2019s command-and-control server. <\/p>\n Users without a cookie are served a fingerprinting page directly from the Google endpoint, likely as a fallback to filter out bots and automated security scanners<\/a>.<\/a><\/p>\n Once a real user lands on the attacker\u2019s infrastructure, an obfuscated JavaScript payload executes immediately. <\/p>\n The script gathers browser fingerprint data, including timezone, locale, platform, user agent, and automation signals like\u00a0 A hidden iframe further cross-checks the user agent to detect spoofed environments. All collected data is then silently submitted to the attacker\u2019s endpoint via an automatic POST request, requiring no interaction from the victim. <\/p>\n This profiling stage acts as a filtering layer, sorting real users from scanners before routing confirmed targets to a follow-on payload, such as a phishing page or exploit kit.<\/a><\/p>\n Developers should treat all unsolicited security alerts<\/a> in GitHub Discussions with caution, especially when posts include external download links, unverifiable CVE references, urgent install instructions, mass tagging of unrelated users, or content from recently created accounts. <\/p>\n Security updates for VS Code should always be verified through official Microsoft channels only, and any suspicious Discussion should be reported directly to GitHub for review.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Fake VS Code Security Alerts on GitHub Used to Push Malware in Widespread Phishing Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhjHTeUUqzROJSlo7jcwc7O_qjUyQ82IxJc18aselm7EJbpZwxz6bCiPmdzEInsGJzRuY4Q2tjAzIwfIf9VTmYthMeHWE9s2uQu_F7CCkPe_i_gu_DiObqwHzQTbCQciSGScC57vI4S5XqPttTirac53udUVdWqRkQ3rkOWPxNNPvafhosNngLLAIQZlQ4\/s16000\/Fake%2520GitHub%2520Discussion%2520Alert%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
Multi-Step Redirection and Browser Fingerprinting<\/strong><\/h2>\n
navigator.webdriver<\/code>, used to identify whether the visitor is a real person or a bot. <\/p>\n