Massive Phishing Campaign on GitHub Targets Developers with Fake VS Code Alerts

Severity: High (Score: 66.0)

Sources: Bleepingcomputer, Feeds2.Feedburner, Cybersecuritynews, Scworld, Gbhackers

Summary

A large-scale phishing campaign has emerged, targeting developers on GitHub by utilizing fake Visual Studio Code (VS Code) security alerts. The attackers exploit the platform's Discussions feature, creating thousands of nearly identical posts that mimic legitimate security advisories. These posts warn of critical vulnerabilities in VS Code, urging users to download malicious software disguised as patched versions. The campaign is highly coordinated, indicating automated mass exploitation rather than isolated incidents. Netskope researchers initially identified a trojanized GitHub repository offering a fake Docker image of the OpenClaw AI assistant. The malware delivery method is sophisticated, making it challenging for users to distinguish between safe and malicious tools. As of now, the campaign is ongoing, with significant risk to developers and users who interact with the affected repositories. Key Points: • Phishing campaign exploits GitHub Discussions to spread malware via fake VS Code alerts. • Thousands of identical posts indicate a coordinated, automated attack targeting developers. • Users are tricked into downloading malicious software disguised as legitimate security patches.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Trojan (attack_type)
• OpenClaw (platform)
• GitHub (platform)
• Visual Studio Code (platform)
• T1566 - Phishing (mitre_attack)
• Docker (tool)