Phishing Campaign on GitHub Uses Fake VS Code Security Alerts

Automated Distribution via GitHub Discussions

The campaign is characterized by its large scale, with researchers at Socket reporting that thousands of nearly identical messages appear in various repositories within a short period of time. Attackers are exploiting the GitHub Discussions feature to spread fake security alerts about Visual Studio Code. Because Discussions sends notifications via email to participants and followers, the messages also reach developers outside the platform, increasing the attack’s credibility and reach. This method allows threat actors to bypass traditional spam filters by landing highly convincing lures straight into developers’ inboxes through a trusted platform.

Image courtesy of Cybersecurity News

Fabricated Security Advisories and Social Engineering

The fake posts masquerade as official security advisories, using alarming titles like "Visual Studio Code – Severe Vulnerability – Immediate Update Required" or "Critical Exploit – Urgent Action Needed." These messages often cite fictitious CVE identifiers and specific versions of VS Code to instill trust. In many cases, the attackers impersonate well-known maintainers or security researchers. Users are urged to install a "patched" version via external download links, often hosted on file-sharing services like Google Drive. This deviates from the normal distribution of VS Code extensions, but the use of trusted third-party services makes the threat less immediately noticeable to busy developers.

Multi-Step Redirection and Browser Profiling

Analysis of the attack infrastructure reveals a sophisticated Traffic Distribution System (TDS). When a user clicks the link, they are routed through a Google share endpoint. The path then splits: users with a valid Google cookie are redirected to an attacker-controlled command-and-control (C2) domain, while those without are served a fingerprinting page. This infrastructure uses an obfuscated JavaScript page to collect data such as:

• Time zone and locale
• Browser information and User Agent
• Operating system platform
• Indicators of automated analysis (e.g., navigator.webdriver)

This mechanism serves as a filtering layer to distinguish real victims from bots and security researchers.

Technical Evasion and Reconnaissance Snippets

The campaign utilizes a lightweight, highly obfuscated JavaScript reconnaissance script. It does not immediately drop malware but instead profiles the environment to ensure a successful follow-on exploit. Evasion tricks include CSS hue-rotate filters and hidden iframes to detect environment spoofing. A deobfuscated snippet of the profiling code reveals how the script captures the system state:

let d = -new Date().getTimezoneOffset();  // UTC offset
let su = navigator.userAgent;             // User agent
// ... (full fingerprint data POSTed silently)

The gathered data is encoded and automatically submitted via an invisible form POST request to the C2 server. This level of digital security awareness is essential for developers, as the attack appears to be an evolving threat that blends social engineering with platform abuse.

Mitigation and Developer Safety

To defend against these campaigns, developers must exercise extreme caution with unsolicited security alerts on collaborative platforms. Legitimate patches for socket-related software or IDEs will never be distributed through third-party file-sharing links. Security experts recommend:

• Verifying all security claims through official Microsoft channels.
• Scrutinizing notifications originating from newly created or low-activity accounts.
• Reporting suspicious Discussions directly to GitHub support.
• Utilizing robust online privacy tools and multi-factor authentication to protect development environments.

Expert VPN analyst with over 8 years of experience in online privacy and cybersecurity. Specializes in VPN technology, digital security, and privacy protection. Passionate about helping users navigate the complex world of online security and making VPN setup accessible for everyone worldwide.

To ensure your development environment remains secure and your data stays private, explore the latest in protective technology at squirrelvpn.com.