GitHub's malware campaign posing as VS Code security notices

A massive campaign has recently come to light that is exploiting the GitHub Discussion section to trick developers and collate them malware under the appearance of Visual Studio Code security notices. According to the report published by the security firm Socket, the attackers create publications that seem to be legitimate reports of vulnerabilities - with alarmist titles, alleged CVE identifiers and, in many cases, the supplanting of real maintainers or researchers - with the intention of the recipient downloading "patches" housed outside the official channels.

The vector is simple but effective: publications are automatically generated from new or unactive accounts and published in thousands of repositories within minutes. By mass labelling of contributors or "watchers," these messages trigger GitHub's mail notifications, directly reaching entry trays where, with the haste that causes a security notice, obvious alarm signals can be ignored.

Fraud entries often include links to files hosted in third-party services such as Google Drive. Although to the naked view Drive is a trusted service, that's precisely where the trap lies: the link redirects to a cookie-based chain that ends up leading to the malicious domain (for example, drnatashachin [.] com), where a JavaScript recognition script is run. This code does not immediately install the malicious load; first it collects telemetry from the visitor - time zone, location, user agent, operating system and prints indicating automation - it packs those data and sends them to a control server by means of a POST request. This is a typical technique of traffic distribution systems (TDS): filter bots and researchers and deliver the second stage only to validated victims.

Socket failed to capture the second stage, so it is not fully documented what kind of malware would be distributed if the victim passes that filter, although the architecture and scale suggest that we are facing an organized operation with resources. It is also important to note that the initial script does not attempt to steal credentials at that point, which can lead to error: the absence of a direct theft of credentials does not imply an absence of risk.

This is not the first time that malicious actors abuse GitHub's reporting and collaboration mechanisms. In recent years, a number of campaigns have emerged that took advantage of comments, press requests or even requests for authorization to malicious OAuth applications to access accounts and distribute phishing. The novelty here is the combination of supplanting of VS Code extension security notices, links to "patches" outside the Marketplace and large-scale distribution through Discussion.

If you receive such an alert, you should stop before you act. Verify any vulnerability identifier in official sources as the National Vulnerability Database (NVD) the catalogue of exploited vulnerabilities of CISA in the United States ( Known Exploited Vulnerabilities) or the database of Common Vulnerability and Exposures (CVE). For extensions of Visual Studio Code, check the source at the Official marketing and confirms with the project maintainers from their profile or official channels before downloading or installing any external file.

It is also recommended to review how you receive notifications in GitHub and reduce unnecessary exposure: look at the post and filter settings in your account helps reduce noise and the probability of falling into lures. If you detect a suspicious publication, report it to GitHub to take action through the abuse form ( Report abuse in GitHub) and review how notifications work on your profile in official documentation ( About mail notifications in GitHub).

The lesson for developers and security equipment is double:: On the one hand, keep calm and verify the origin of any alert using verified channels and databases; on the other, assume that mass collaborative spaces can be used as distribution vectors and adjust digital hygiene practices: validate links, prefer facilities from official sources, distrust of Google Drive downloads that supposedly replace repositories or marketplaces, and demand direct confirmations from the maintainers before applying urgent "patches."

The campaign described by Socket is a reminder that the platforms we use to collaborate are also fertile ground for abuse, and that the implicit confidence in popular services can be manipulated by sophisticated operations. Maintaining verification habits and taking advantage of official sources to contrast alerts drastically reduces the likelihood of being a victim.

For those who want to deepen the original research, Socket's technical report is available on your blog: Widespread GitHub campaign uses fake VS Code security alerts to deliver malware.