Attackers Are Impersonating Linux Foundation Leaders in Slac...

An active social engineering campaign is targeting open source developers via Slack, with attackers impersonating Linux Foundation community leaders. The attack follows a four-stage chain: impersonation, phishing via a Google Sites URL, credential harvesting, and malware delivery. On macOS, a malicious binary called 'gapi' is executed; on Windows, a fake root certificate is installed. The TODO Group Slack workspace was specifically targeted. OpenSSF has issued a high-severity advisory with indicators of compromise and recommends out-of-band identity verification, avoiding certificate installs from links, not executing downloaded binaries, and rotating all credentials if compromised. This campaign appears part of a broader trend of attacks targeting open source maintainers through trusted community platforms.