Fake VS Code alerts on GitHub spread malware to developers

Recorded: March 27, 2026, 5 p.m.

Original

News

Featured
Latest

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

HackerOne discloses employee data breach after Navia hack

Firefox now has a free built-in VPN with 50GB monthly data limit

Infinite Campus warns of breach after ShinyHunters claims data theft

Fake VS Code alerts on GitHub spread malware to developers

Agentic GRC: Teams Get the Tech. The Mindset Shift Is What's Missing.

European Commission investigating breach after Amazon cloud account hack

This lifetime $160 1TB Koofr cloud storage deal ends in days

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityFake VS Code alerts on GitHub spread malware to developers

Fake VS Code alerts on GitHub spread malware to developers

By Bill Toulas

March 27, 2026
12:51 PM
0

A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.
The spammy posts are crafted as vulnerability advisories and use realistic titles like “Severe Vulnerability - Immediate Update Required,” often including fake CVE IDs and urgent language.
In many cases, the threat actor impersonates real code maintainers or researchers for a false sense of legitimacy.
Application security company Socket says that the activity appears to be part of a well-organized, large-scale operation rather than a narrow-targeted, opportunistic attack.
The discussions are posted in an automated way from newly created or low-activity accounts across thousands of repositories within a few minutes, and trigger email notifications to a large number of tagged users and followers.

Fake security alerts on GitHub DiscussionsSource: Socket
“Early searches show thousands of nearly identical posts across repositories, indicating this is not an isolated incident but a coordinated spam campaign,” Socket researchers say in a report this week.
“Because GitHub Discussions trigger email notifications for participants and watchers, these posts are also delivered directly to developers’ inboxes.”
The posts include links to supposedly patched versions of the impacted VS Code extensions, hosted on external services such as Google Drive.

Example of the fake security alertSource: Socket
Although Google Drive is obviously not the official software distribution channel for a VS Code extension, it’s a trusted service, and users acting in haste may miss the red flag.
Clicking the Google link triggers a cookie-driven redirection chain that leads victims to drnatashachinn[.]com, which runs a JavaScript reconnaissance script.
This payload collects the victim’s timezone, locale, user agent, OS details, and indicators for automation. The data is packaged and sent to the command-and-control via a POST request.

Deobfuscated JS payloadSource: Socket
This step serves as a traffic distribution system (TDS) filtering layer, profiling targets to push out bots and researchers, and delivering the second stage only to validated victims.
Socket did not capture the second-stage payload, but noted that the JS script does not deliver it directly, nor does it attempt to capture credentials.
This is not the first time threat actors have abused legitimate GitHub notification systems to distribute phishing and malware.
In March 2025, a widespread phishing campaign targeted 12,000 GitHub repositories with fake security alerts designed to trick developers into authorizing a malicious OAuth app that gave attackers access to their accounts.
In June 2024, threat actors triggered GitHub’s email system via spam comments and pull requests submitted on repositories, to direct targets to phishing pages.
When faced with security alerts, users are advised to verify vulnerability identifiers in authoritative sources, such as National Vulnerability Database (NVD), CISA's catalog of Known Exploited Vulnerabilities, or MITRE's website fot the Common Vulnerabilities and Exposures program.
take a moment to consider their legitimacy before jumping into action, and to look for signs of fraud such as external download links, unverifiable CVEs, and mass tagging of unrelated users.

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Get Your Copy Now

Related Articles:
Microsoft Azure Monitor alerts abused for callback phishing attacksDutch Police discloses security breach after phishing attackTikTok for Business accounts targeted in new phishing campaignGitHub adds AI-powered bug detection to expand security coverageBubble AI app builder abused to steal Microsoft account credentials

Alert
Developer
GitHub
Phishing
Security Alert
Spam

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

Kali Linux 2026.1 released with 8 new tools, new BackTrack mode

Firefox now has a free built-in VPN with 50GB monthly data limit

Sponsor Posts

Synthetic Identities, Proxies & Real Identities for Sale, is yours next?

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

Are your AI accounts being sold on the dark web? Check for free.

Is your program ready for agentic GRC? See what shift enterprise teams need to make.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Fake Visual Studio Code (VS Code) alerts were being disseminated across GitHub repositories via automated posts, representing a sophisticated malware campaign targeting developers. Socket, an application security company, identified this operation as a coordinated effort, distributing deceptive security advisories resembling genuine vulnerability reports. These alerts, often incorporating fabricated CVE IDs, were posted to Discussions sections of thousands of repositories, triggering email notifications to a large number of users and followers. The goal was to trick developers into downloading malware from external services like Google Drive. Clicking these links initiated a cookie-driven redirection process, leading victims to a domain (drnatashachinn[.]com) that executed a JavaScript reconnaissance script. This script collected data including the victim’s timezone, locale, user agent, operating system details, and indicators for automation, ultimately sending this information to a command-and-control server.

This tactic echoes previous attacks exploiting GitHub’s notification system, including a 2025 campaign targeting 12,000 repositories and a 2024 incident involving spam comments and pull requests to trigger phishing pages. The success of these campaigns highlights a vulnerability within GitHub’s Discussion system, specifically its reliance on email notifications to alert users to activity. Socket researchers note that the current operation doesn't directly deliver a second-stage payload nor attempts to steal credentials. The technique leverages a Traffic Distribution System (TDS) filtering layer, which profiles targets and delivers the secondary stage only to validated victims.

The incident underscores the importance of critical thinking and diligent verification when encountering security alerts, particularly those arriving via unsolicited channels. Users are advised to confirm vulnerability identifiers through authoritative sources, such as the National Vulnerability Database (NVD), CISA’s Known Exploited Vulnerabilities catalog, and MITRE’s Common Vulnerabilities and Exposures (CVE) program. Red flags include external download links, unverifiable CVEs, and mass tagging of unrelated users, suggesting a lack of legitimate engagement. This incident serves as a valuable reminder of the continuous threat landscape faced by developers and the need for heightened vigilance against phishing and malware distribution tactics. The scale and sophistication of this operation, combined with prior successful attacks leveraging similar mechanisms, emphasizes the vulnerability of GitHub’s Discussions and underlines the importance of robust security measures and user education within the developer community.