Phishing Attack Pushes Malware Using Fake VS Code Alerts On GitHub - cyberpress.org

Phishing Attack Pushes Malware Using Fake VS Code Alerts On GitHub By Varshini March 27, 2026 Categories: Cyber Security NewsGitHubPhishing A large-scale phishing campaign is currently targeting developers directly within GitHub by distributing fake Visual Studio Code security alerts. Attackers are exploiting GitHub Discussions to post fabricated vulnerability warnings, aiming to trick users into downloading malicious software. By tagging large numbers of developers and relying on GitHub’s built-in email notification system, the threat actors successfully amplify their reach and bypass traditional spam filters, landing highly convincing lures straight into developers’ inboxes. Attack Methodology and Infrastructure The campaign operates by mass-creating posts across numerous repositories. These posts use alarming titles like “Critical Exploit Urgent Action Needed” and often reference completely fabricated CVE numbers. Instead of utilizing legitimate update channels, the alerts instruct developers to download a supposed emergency patch from an external file-sharing link, primarily utilizing Google Drive infrastructure. Fake VS Code Alerts Deliver Malware (Source: socket) When a developer clicks the provided link, they are not immediately served malware. Instead, they enter a multi-step redirection chain that acts as a Traffic Distribution System (TDS). The Google endpoint inspects the incoming request for a valid Google cookie. If the cookie is present which is typical for real users browsing the web the victim is redirected to an attacker-controlled command-and-control (C2) domain via a 301 redirect. If the request lacks a cookie, the server delivers a fingerprinting page directly, serving as a fallback mechanism to filter out security scanners and bots. Payload Analysis and Mitigation Once routed to the attacker-controlled infrastructure, the victim is served a lightweight, highly obfuscated JavaScript reconnaissance page. This script does not immediately drop a visible payload or request credentials. Instead, it silently collects environmental data to profile the target. Fake VS Code Alerts Deliver Malware (Source: socket) The fingerprinting script gathers the system timezone, operating system platform, primary user agent, and a secondary user agent via a hidden iframe to detect environment spoofing. It also checks for automation signals to evade analysis tools. Threat Indicator Technical Details Attack Vector GitHub Discussions, Mass Tagging, Email Notifications Initial Lure Fake VS Code Critical Vulnerability Alerts Delivery Endpoint share.google[...] Known C2 Domain drnatashachinn[.]com Evasion Tactics Cookie-based routing, Array-shuffling obfuscation, TDS filtering Collected Data Timezone, OS platform, User Agent, Webdriver status The gathered data is encoded and automatically submitted via an invisible form POST request back to the C2 server without any user interaction. This filtering layer ensures that only highly viable targets receive the secondary payload. To defend against this campaign, developers must exercise caution when encountering unsolicited security advisories on GitHub. Legitimate vendors will never distribute socket critical software patches through third-party file-sharing services. Security teams should monitor for the known C2 domains, and developers must ensure all updates are performed directly. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Splunk Secure Gateway RCE Flaw Lets Low-Privileged Users Execute OS Commands Cyber Security News June 29, 2026 Critical Hoppscotch Flaw Lets Unauthenticated Attackers Overwrite JWT Secrets Cyber Security News June 29, 2026 Turla Hackers Use STOCKSTAY .NET Backdoor to Spy on Ukrainian Government and Military Targets APT June 29, 2026 Langflow RCE Flaw Exploited to Deploy Monero Cryptominer on AI Servers Cyber Security News June 29, 2026 ClawHub Ranking Manipulation Lets Malicious Skills Automatically Infect AI Agents AI June 29, 2026 Related Stories Cyber Security News Splunk Secure Gateway RCE Flaw Lets Low-Privileged Users Execute OS Commands Lucas Martin - June 29, 2026 Cyber Security News Critical Hoppscotch Flaw Lets Unauthenticated Attackers Overwrite JWT Secrets Lucas Martin - June 29, 2026 APT Turla Hackers Use STOCKSTAY .NET Backdoor to Spy on Ukrainian Government and Military Targets Varshini - June 29, 2026 Cyber Security News Langflow RCE Flaw Exploited to Deploy Monero Cryptominer on AI Servers Lucas Martin - June 29, 2026 AI ClawHub Ranking Manipulation Lets Malicious Skills Automatically Infect AI Agents Varshini - June 29, 2026 Cyber Security News Win32k Callback Detouring Abuses Kernel-to-User Dispatch for Remote Code Execution Varshini - June 29, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: