Fake VS Code Security Alerts on GitHub Distribute Malware to Developers
What Happened – Threat actors posted thousands of fraudulent Visual Studio Code security alerts in GitHub Discussions, masquerading as vulnerability advisories with fake CVE IDs. The posts contain malicious links (often to Google Drive) that redirect victims to a JavaScript reconnaissance page and potentially a second‑stage payload.
Why It Matters for TPRM –
- Large‑scale social‑engineering campaign exploits a trusted development platform, increasing exposure for any organization that relies on GitHub‑hosted code.
- Malware delivery to developers can lead to credential theft, supply‑chain compromise, or insertion of malicious code into downstream products.
- The use of legitimate cloud services (Google Drive) for hosting malicious files makes detection harder for traditional URL‑filtering solutions.
Who Is Affected – Technology SaaS providers, cloud‑hosted development platforms, software vendors, and any enterprise with developers using GitHub and VS Code extensions.
Recommended Actions –
- Instruct developers to verify any VS Code security alerts through official channels before downloading.
- Harden email and GitHub notification filtering to block suspicious discussion posts.
- Deploy endpoint protection that monitors unexpected redirects and JavaScript payloads.
- Review third‑party risk assessments for GitHub and any integrated extension marketplaces.
Technical Notes – Attack vector: phishing via fake GitHub Discussions; delivery through malicious Google Drive links; initial payload is a JavaScript reconnaissance script collecting timezone, locale, user‑agent, OS details, then POSTing to a C2 server. No credential capture observed in the first stage. Source: BleepingComputer