Hackers Spread Malware on GitHub Using Fake VS Code Alerts

A large-scale malware campaign is targeting developers on GitHub, using fake Visual Studio Code security alerts to trick users into downloading malicious payloads and exposing system data.

According to a report from Socket, attackers are abusing GitHub Discussions to post fabricated vulnerability warnings that closely resemble legitimate advisories. These posts use fake CVE identifiers and urgent wording to pressure developers into acting quickly without proper verification.

The campaign is highly automated and coordinated, with thousands of nearly identical posts appearing across repositories within minutes. Attackers often impersonate repository maintainers or trusted security researchers, making the alerts appear credible. Because GitHub Discussions trigger email notifications, these messages reach developers directly in their inboxes, increasing the chances of engagement.

Fake advisories used as entry point

The malicious posts typically claim that a critical vulnerability has been discovered and provide a supposed fix in the form of a patched Visual Studio Code extension. However, these extensions are hosted on external platforms such as Google Drive, which are not official distribution channels.

This detail alone should raise suspicion, but the urgency and formatting of the messages often convince users to proceed anyway.

Redirection chain leads to data harvesting

When a user clicks the provided link, they are sent through a series of redirects before landing on a page that executes a JavaScript reconnaissance script. This script collects information such as timezone, locale, user agent, operating system details, and signals that help determine whether the visitor is a real user or an automated system.

The collected data is then transmitted to an attacker-controlled infrastructure, where it is likely used to filter targets and avoid detection from researchers or security tools.

Payload delivery appears selective

Researchers were unable to capture the second-stage malware, suggesting that it is only delivered to carefully selected victims. This selective approach allows attackers to remain under the radar while focusing on high-value targets.

Developers urged to verify before acting

Security experts stress that developers should treat unsolicited security alerts with caution. Any reported vulnerability should be verified through trusted sources such as official CVE databases and government-backed advisories before taking action.

The campaign highlights how attackers are increasingly targeting developers through platforms they trust, using social engineering combined with automation to scale their operations.

This is part of a broader wave of threats affecting the ecosystem. Attackers have recently abused OAuth mechanisms for phishing campaigns, while CISA has warned about actively exploited SharePoint vulnerabilities. At the same time, malware such as VoidStealer is targeting Google Chrome by extracting encrypted data directly from memory.

As these tactics evolve, developers remain a key target, making awareness and verification essential to avoiding compromise.

Via Bleeping Computer