An attack using fake security warnings was detected on the GitHub platform.
Developers have been harassed en masse by "critical vulnerabilities" alerts directly on GitHub, but the alarming warnings have a completely different purpose. According to a report from Socket, unknown actors are sending fake notifications about issues in Visual Studio Code and luring users to malicious websites.
The attack takes place within GitHub itself . The attackers post discussions in repositories, disguised as urgent security alerts. The text appears convincing: "critical vulnerability," "urgent update," "security threat." The messages mention fictitious vulnerability identifiers and program versions, and then offer to download a "fixed" version of the editor via an external link.
There are already thousands of such posts. They appear almost simultaneously, often from newly created accounts. Authors tag developers en masse in discussions to attract attention, even posing as project maintainers.
The situation is made worse by GitHub's notification mechanism. The platform sends emails to repository contributors and subscribers, so fake warnings land directly in their inboxes and appear even more believable.
Links in the messages lead to third-party file storage services, such as Google Drive, and then redirect the user to an external website controlled by the attackers. Analysis revealed a clickstream with an intermediate Google page, after which the victim is redirected to the attack command and control domain.
It's worth noting that the link's behavior depends on the presence of Google cookies. If the browser is already authorized, it redirects to a malicious site. If not, it opens a page that collects system data. This approach helps filter out automated checks and preserve "real" users.
A hidden script runs on the final page. It collects information about the time zone, system language, platform, browser, and signs of automation. The data is then secretly sent to the attackers' server. The user may not even see any obvious malicious file or login form.
This behavior resembles a traffic distribution system. They first collect data about the victim and then decide where to redirect them next: to a phishing page , a page with an exploit, or another deceptive scheme.
The attack was effective for a simple reason. GitHub is considered a trusted platform, and security alerts encourage quick action and a low-key approach. When identical warnings appear in multiple repositories, trust is reinforced.
Developers are advised not to click links from such discussions and to verify any vulnerability reports through the software developers' official channels. Genuine Visual Studio Code updates are never distributed through random links in discussions.
Developers have been harassed en masse by "critical vulnerabilities" alerts directly on GitHub, but the alarming warnings have a completely different purpose. According to a report from Socket, unknown actors are sending fake notifications about issues in Visual Studio Code and luring users to malicious websites.
The attack takes place within GitHub itself . The attackers post discussions in repositories, disguised as urgent security alerts. The text appears convincing: "critical vulnerability," "urgent update," "security threat." The messages mention fictitious vulnerability identifiers and program versions, and then offer to download a "fixed" version of the editor via an external link.
There are already thousands of such posts. They appear almost simultaneously, often from newly created accounts. Authors tag developers en masse in discussions to attract attention, even posing as project maintainers.
The situation is made worse by GitHub's notification mechanism. The platform sends emails to repository contributors and subscribers, so fake warnings land directly in their inboxes and appear even more believable.
Links in the messages lead to third-party file storage services, such as Google Drive, and then redirect the user to an external website controlled by the attackers. Analysis revealed a clickstream with an intermediate Google page, after which the victim is redirected to the attack command and control domain.
It's worth noting that the link's behavior depends on the presence of Google cookies. If the browser is already authorized, it redirects to a malicious site. If not, it opens a page that collects system data. This approach helps filter out automated checks and preserve "real" users.
A hidden script runs on the final page. It collects information about the time zone, system language, platform, browser, and signs of automation. The data is then secretly sent to the attackers' server. The user may not even see any obvious malicious file or login form.
This behavior resembles a traffic distribution system. They first collect data about the victim and then decide where to redirect them next: to a phishing page , a page with an exploit, or another deceptive scheme.
The attack was effective for a simple reason. GitHub is considered a trusted platform, and security alerts encourage quick action and a low-key approach. When identical warnings appear in multiple repositories, trust is reinforced.
Developers are advised not to click links from such discussions and to verify any vulnerability reports through the software developers' official channels. Genuine Visual Studio Code updates are never distributed through random links in discussions.
