- Socket Reveals Large-scale GitHub Spam Campaign Abusing “Discussions” Messages
- Fake messages with fake CVEs trick developers into downloading malware via cloud-hosted links
- Thousands of identical posts observed, showing coordinated efforts to target developer credentials and projects
Cybercriminals are tricking GitHub into sending out fraudulent email notifications and luring software developers into downloading malware, experts have warned.
Security researchers Socket, who said they observed a large-scale, coordinated spam campaign targeting developers on various projects.
GitHub has a section called “Discussions” which is basically a forum for discussing different projects. When a developer joins or moderates a topic, they are notified by email when something is posted.
The article continues below
Large-scale campaign
Now Socket says criminals are sending fake messages with titles like “Severe Vulnerability – Immediate Update Required”. These messages, often with fake CVE IDs, are posted by either brand new accounts or old, inactive ones likely stolen elsewhere.
Once the “warning” is posted, GitHub sends participants an email that, if they don’t catch the trick, ends up downloading malware. The advisories include a link to “patched” versions of affected VS Code extensions hosted on Google Drive and other cloud storage services.
Clicking on the link sends the victim through a series of redirects, grabbing data along the way and making sure to only present the malware to validated victims. Therefore, the Socket was unable to download the final payload and therefore does not know what it is. However, it is safe to assume that it is an infostealer, as software developers are often targeted for their access to valuable projects or for cryptocurrency wallets they have installed in their browsers.
The campaign appears to be well organized and quite large, says Socket. It casts a wide net and tries to infect as many GitHub users as possible.
“Early searches show thousands of nearly identical posts across repositories, indicating that this is not an isolated incident, but a coordinated spam campaign,” Socket said.
“Because GitHub discussions trigger email notifications to participants and viewers, these posts are also delivered directly to developers’ inboxes.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
