GoKawiilA large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.
The spammy posts are crafted as vulnerability advisories and use realistic titles like “Severe Vulnerability - Immediate Update Required,” often including fake CVE IDs and urgent language.
In many cases, the threat actor impersonates real code maintainers or researchers for a false sense of legitimacy.
Application security company Socket says that the activity appears to be part of a well-organized, large-scale operation rather than a narrow-targeted, opportunistic attack.
The discussions are posted in an automated way from newly created or low-activity accounts across thousands of repositories within a few minutes, and trigger email notifications to a large number of tagged users and followers.
Fake security alerts on GitHub Discussions
Source: Socket
“Early searches show thousands of nearly identical posts across repositories, indicating this is not an isolated incident but a coordinated spam campaign,” Socket researchers say in a report this week.
“Because GitHub Discussions trigger email notifications for participants and watchers, these posts are also delivered directly to developers’ inboxes.”
The posts include links to supposedly patched versions of the impacted VS Code extensions, hosted on external services such as Google Drive.
... continue reading