Phishing Attack Pushes Malware Using Fake VS Code Alerts On GitHub

Attackers are using GitHub Discussions to spread false warnings about security holes This article explores attackers using github. . The threat actors are able to reach more people by tagging a lot of developers and using GitHub's built-in email notification system.

The alerts tell developers to download a fake emergency patch from a link to an external file-sharing site, mostly using Google Drive. Developers need to be careful when they see unsolicited security advisories on GitHub to protect themselves from this campaign. Real vendors will never send socket-critical software patches through file-sharing services that aren't their own. Security teams should keep an eye on the known C2 domains, and developers should make sure that all updates are done directly.

The campaign works by making a lot of posts in a lot of different places.

These posts have scary titles like "Critical Exploit Urgent Action Needed" and often use fake CVE numbers. Malware is not immediately given to the threat actors. Instead, they go through a series of steps that send them to different places, like a Traffic Distribution System (TDS).

The Google endpoint checks the request that comes in to see if it has a valid Google cookie. If the cookie is there, which is common for real people using the internet, the victim is sent to a command-and-control (C2) domain controlled by the attacker through a 301 redirect. The fingerprinting script uses a hidden iframe to get the system's timezone, operating system platform, primary user agent, and a secondary user agent. This is done to find out if the environment is being spoofed.

It also looks for signs of automation to avoid analysis tools.