In a cunning twist on developer trust, threat actors have unleashed a large-scale phishing operation inside GitHub, flooding Discussions with bogus Visual Studio Code (VS Code) security alerts.
These posts trick developers into clicking malicious links that lead to sophisticated reconnaissance malware. First spotted on March 26, 2026, the campaign spans thousands of repositories, leveraging GitHub’s notification system to spam inboxes far and wide.
Security researcher Richard Bown highlighted the threat on Bluesky, warning VS Code users against clicking links in suspicious posts.
An archived example from the NaturalSkinkBarn/VSCodeRelease-59130 repo shows the scam in action: fake alerts scream “Visual Studio Code Severe Vulnerability Immediate Update Required,” citing phony CVEs and urging downloads from external sites like Google Drive. Similar posts, posted by fresh or low-activity accounts, appear en masse hundreds within minutes across repos like ParrotCanyon/CriticalPatch-99571.
Attackers skip traditional emails or npm packages, instead weaponizing GitHub Discussions. They post near-identical templates with tweaks, tag hordes of developers, and impersonate maintainers or researchers.
This triggers email notifications for watchers and participants, amplifying reach beyond the platform. The urgency mimics real advisories, eroding skepticism in GitHub’s trusted ecosystem.
Clicking the bait leads to a multi-stage payload chain:
- Initial Redirect: Links hit share.google endpoints.
- Cookie-Based Routing: Requests with Google cookies (common for devs) get a 301 redirect to drnatashachinn[.]com, a command-and-control (C2) domain. Cookieless traffic (e.g., bots) lands on a fingerprinting page.
- JavaScript Recon: Obfuscated JS grabs browser intel timezone, user agent, platform, navigator.webdriver (anti-bot), and URL hash for tracking then auto-POSTs it back via a hidden form. No creds stolen or malware dropped yet; it’s a traffic distribution system (TDS) filtering real victims for later exploits.
Deobfuscated snippet reveals the stealth:
let d = -new Date().getTimezoneOffset(); // UTC offset
let su = navigator.userAgent; // User agent
// ... (full fingerprint data POSTed silently)Evasion tricks include CSS hue-rotate filters, iframe UA checks, and array-shuffled strings.
GitHub’s legitimacy, alert FOMO, mass @mentions, and repetition make this sticky. Even 1% conversion yields wins for attackers. Socket.dev’s analysis flags it as evolving, blending social engineering with platform abuse.
- Unsolicited Discussions with external downloads.
- Fake CVEs or “urgent update” demands.
- Mass tags from newbie accounts.
Verify via official VS Code channels (code.visualstudio.com). Report to GitHub support. Enable 2FA, scrutinize notifications, and use tools like Socket or GitHub Advanced Security.
This campaign underscores phishing’s shift to collaborative platforms. As attackers adapt, devs must treat every “critical” ping with suspicion.
Site: cybersecuritypath.com
About the Author
