- Socket uncovers large-scale GitHub spam campaign abusing Discussions notifications
- Fake reviews containing fake CVEs trick developers into downloading malware via cloud-hosted links
- Thousands of identical posts observed, demonstrating a coordinated effort to target developer references and projects
Cybercriminals are tricking GitHub into sending fraudulent email notifications, tricking software developers into uploading malware, experts have warned.
Socket security researchers said they observed a large-scale, coordinated spam campaign targeting developers of various projects.
GitHub has a section called “Discussions”, which is basically a forum for discussing various projects. When a developer participates or monitors a topic, they will be notified by email when something is published.
Article continues below
Large-scale campaign
Now, Socket says criminals are posting fake advisories with titles like “Serious Vulnerability – Immediate Update Required.” These notices, often accompanied by fake CVE identifiers, are posted either by new accounts or by old, inactive accounts, likely stolen from elsewhere.
Once the “warning” is posted, GitHub sends an email to participants who, if they do not spot the trick, end up downloading malware. The advisories contain a link to “patched” versions of the affected VS Code extensions, hosted on Google Drive and other cloud storage services.
By clicking on the link, the victim goes through a series of redirects, grabbing data along the way and making sure to present the malware only to validated victims. Therefore, Socket was unable to download the final payload and therefore does not know what it is. It is, however, safe to assume that it is an information stealer, as software developers are often targeted for their access to valuable projects or for the cryptocurrency wallets they have installed in their browsers.
The campaign appears well organized and quite large, Socket said. It casts its net wide, trying to infect as many GitHub users as possible.
“Initial research shows thousands of nearly identical messages across the repositories, indicating that this is not an isolated incident but a coordinated spam campaign,” Socket said.
“Since GitHub discussions trigger email notifications for participants and observers, these posts are also delivered directly to developer inboxes.”
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
