- Socket discovers large-scale spam campaign on GitHub abusing “Discussions” notifications
- Fake advisories with fake CVEs trick developers into downloading malware via cloud-hosted links
- Thousands of identical posts were observed, showing a coordinated effort to target developers’ credentials and projects.
Experts have warned that cybercriminals are tricking GitHub into sending fraudulent email notifications, luring software developers to download malware.
Socket security researchers, who said they observed a large-scale coordinated spam campaign targeting developers across multiple projects.
GitHub has a section called “Discussions”, which is essentially a forum to discuss various projects. When a developer participates or monitors a topic, they receive an email notification when something is published.
Article continues below.
Large scale campaign
Now, Socket says criminals are posting fake notices with titles like “Serious vulnerability: Immediate update required.” These notices, often with fake CVE IDs, are posted to new accounts or to old, inactive accounts likely stolen elsewhere.
Once the “warning” is published, GitHub sends an email to participants who, if they don’t spot the hack, end up downloading malware. The notices contain a link to “patched” versions of the affected VS Code extensions, hosted on Google Drive and other cloud storage services.
Upon clicking the link, the victim goes through a series of redirects, collecting data along the way and making sure to only present malware to validated victims. So Socket couldn’t download the final payload and therefore doesn’t know what it is. However, it is safe to assume that this is an information thief, as software developers are often attacked for their access to valuable projects or cryptocurrency wallets that they have installed in their browsers.
The campaign appears to be well organized and quite large, Socket says. Cast a wide net, trying to infect as many GitHub users as possible.
“Early searches show thousands of nearly identical posts across all repositories, indicating that this is not an isolated incident but rather a coordinated spam campaign,” Socket said.
“Because GitHub Discussions trigger email notifications for participants and observers, these posts are also sent directly to developers’ inboxes.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
