Ethical Hacking News
In recent weeks, a large-scale phishing campaign has been targeting developers on GitHub, spreading malware through fake Visual Studio Code (VS Code) security alerts. These malicious posts impersonate real code maintainers or researchers for a false sense of legitimacy, tricking users into downloading malware.
A large-scale phishing campaign has been targeting developers on GitHub, spreading malware through fake Visual Studio Code (VS Code) security alerts. The malicious activity is crafted to impersonate real code maintainers or researchers, attempting to trick users into downloading malware. The campaign appears to be part of a well-organized, large-scale operation rather than a narrow-targeted attack. The threat actors use fake CVE IDs and urgent language to create a sense of legitimacy. The payload collected from victims' information is sent to a command-and-control server via a POST request. Users are advised to verify vulnerability identifiers in authoritative sources and be cautious of unsolicited links or unverifiable CVEs.
In recent weeks, a large-scale phishing campaign has been targeting developers on GitHub, spreading malware through fake Visual Studio Code (VS Code) security alerts. The malicious activity is being carried out by using realistic titles such as "Severe Vulnerability - Immediate Update Required," often including fake CVE IDs and urgent language. These posts are crafted to impersonate real code maintainers or researchers for a false sense of legitimacy, attempting to trick users into downloading malware.
Application security company Socket has reported that the activity appears to be part of a well-organized, large-scale operation rather than a narrow-targeted, opportunistic attack. According to Socket researchers, the discussions are posted in an automated way from newly created or low-activity accounts across thousands of repositories within a few minutes, and trigger email notifications to a large number of tagged users and followers.
The posts include links to supposedly patched versions of the impacted VS Code extensions, hosted on external services such as Google Drive. The use of Google Drive is significant because it's a trusted service, but this trust can sometimes be exploited by malicious actors in order to trick developers into downloading malware.
The payload collected from the victim’s timezone, locale, user agent, OS details, and indicators for automation are packaged and sent to the command-and-control via a POST request. The threat actor has set up a traffic distribution system (TDS) filtering layer, which serves as a filtering layer that profiles targets and pushes out bots and researchers.
This is not the first time that threat actors have abused legitimate GitHub notification systems to distribute phishing and malware. In March 2025, a widespread phishing campaign targeted 12,000 GitHub repositories with fake security alerts designed to trick developers into authorizing a malicious OAuth app that gave attackers access to their accounts. A similar incident occurred in June 2024 when threat actors triggered GitHub’s email system via spam comments and pull requests submitted on repositories to direct targets to phishing pages.
To combat these types of threats, users are advised to verify vulnerability identifiers in authoritative sources such as the National Vulnerability Database (NVD), CISA's catalog of Known Exploited Vulnerabilities, or MITRE's website for the Common Vulnerabilities and Exposures program. It is also advisable to take a moment to consider their legitimacy before jumping into action and to look for signs of fraud such as external download links, unverifiable CVEs, and mass tagging of unrelated users.
The use of fake security alerts on GitHub has become an increasingly sophisticated threat to the developer community. In response to this growing concern, experts recommend that developers remain vigilant in their approach to security alerts and never click on unsolicited links from unknown sources.
This coordinated phishing campaign is a sobering reminder of the need for greater vigilance among software developers. As the application landscape becomes increasingly complex and interdependent, it's more important than ever to stay informed about emerging threats and take proactive steps to protect your own work.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-VS-Code-Security-Alerts-Spread-Malware-to-Developers-on-GitHub-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-vs-code-alerts-on-github-spread-malware-to-developers/
https://cyberpress.org/fake-vs-code-alerts-deliver-malware/
https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
https://www.cyfirma.com/research/apt-profile-lazarus-group/
Published: Fri Mar 27 15:17:26 2026 by llama3.2 3B Q4_K_M
