Fake VS Code Security Alerts Flood GitHub to Spread Malware

A large-scale phishing campaign is targeting software developers through GitHub's Discussions feature, flooding repositories with fake Visual Studio Code security advisories designed to spread malware.

Security researchers at Socket identified thousands of near-identical posts appearing across GitHub within minutes of each other, pointing to a heavily automated operation. Each fake Discussion mimics an official security advisory with alarming titles like "Visual Studio Code – Severe Vulnerability – Immediate Update Required" and "Critical Exploit – Urgent Action Needed."

How the Attack Works

The campaign exploits GitHub's notification system to amplify its reach. When attackers post these fake advisories, GitHub automatically sends email notifications to repository watchers and participants—delivering the phishing attempt directly to developers' inboxes and lending it an air of legitimacy.

Each post includes fabricated CVE identifiers and version ranges to appear authoritative. The discussions link to supposed patched versions of VS Code, but clicking the link initiates a multi-step redirection chain designed to filter out security researchers and bots.

The attack flow works as follows:

1. Victim clicks the "download" link pointing to a Google Drive endpoint
2. The server checks for a valid Google cookie to verify the visitor is a real user
3. If validated, a 301 redirect sends them to the attacker's command-and-control domain
4. A JavaScript payload performs device fingerprinting before delivering the final payload

Socket's researchers documented the C2 domain as drnatashachinn[.]com, which hosts a reconnaissance script that collects timezone data, locale settings, user agent strings, and automation detection signals before determining whether to serve a secondary payload.

Scale and Automation

The campaign's scale suggests significant resources behind it. Hundreds to thousands of identical Discussions appeared within minutes, posted from newly created or low-activity GitHub accounts. The attackers also mass-tag unrelated users across repositories to maximize notification delivery.

This isn't the first time threat actors have weaponized GitHub's social features. We've seen similar abuse patterns in supply chain attacks targeting developer tools, where attackers exploit trust in legitimate platforms to distribute malware.

The technique bears resemblance to the GlassWorm campaign from earlier this month, which compromised over 400 VS Code extensions, npm packages, and GitHub repositories with malicious code. Both campaigns target developers specifically, recognizing that compromised developer machines often have access to production systems and sensitive credentials.

Why Developers Are High-Value Targets

Developers represent uniquely valuable targets for threat actors. Their machines typically contain SSH keys, API tokens, cloud credentials, and access to source code repositories. A single compromised developer workstation can provide attackers a foothold into an organization's entire software supply chain.

The Stargazer Goblin operation, uncovered by Check Point Research, demonstrated how profitable this targeting can be. That threat actor earned over $100,000 running a malware distribution network using more than 3,000 fake GitHub accounts—distributing infostealers like Atlantida, Rhadamanthys, and RedLine to unsuspecting developers.

How to Spot the Fake Advisories

Socket's researchers outlined several red flags developers should watch for:

• External download links: Legitimate VS Code updates come through Microsoft's official channels or the built-in update mechanism
• Fabricated CVE references: Always verify CVE identifiers against the National Vulnerability Database
• Mass user tagging: Attackers tag unrelated users to maximize notification reach
• Urgent language: Pressure tactics like "Immediate Update Required" are classic social engineering
• New account activity: Check if the poster has a legitimate contribution history

The attackers are banking on developers reacting quickly to what appears to be a critical security issue. Taking a moment to verify through official channels can prevent infection.

Protecting Your Development Environment

Organizations should implement multiple layers of defense against these increasingly sophisticated developer-targeted campaigns:

Verify update sources: VS Code updates should only come from Microsoft's official distribution channels. The application includes a built-in update mechanism that eliminates the need for manual downloads.

Enable endpoint protection: Modern EDR solutions can detect the reconnaissance scripts and redirect chains these campaigns use.

Monitor GitHub notifications: Consider filtering or limiting GitHub email notifications to reduce the attack surface for notification-based phishing.

Audit developer credentials: Regularly rotate API tokens, SSH keys, and service account credentials on developer workstations.

The campaign's use of Google Drive as an initial distribution point and its sophisticated bot-filtering mechanisms show continued evolution in how threat actors target the software supply chain. As developer tools become more integrated with cloud services and automation pipelines, these attack vectors will only grow more attractive to adversaries.

GitHub users who encounter these fake security advisories should report them directly to GitHub for review and removal.