Widespread GitHub phishing campaign uses fake Visual Studio Code security alerts in Discussions to trick developers into visiting malicious website.

Socket

A large-scale phishing campaign is targeting developers on GitHub by posting fake Visual Studio Code security alerts in Discussions. Thousands of nearly identical posts, created by new or low-activity accounts, claim fabricated CVEs and urge developers to download a malicious 'patched' VS Code from external file-sharing links. Because GitHub Discussions trigger email notifications, the campaign reaches developers' inboxes too. Analysis of one payload reveals a multi-step redirection chain: GitHub Discussion → Google share endpoint → attacker-controlled C2 domain (drnatashachinn[.]com). The Google endpoint uses cookie detection to route real users to the C2 while serving a fingerprinting page to bots. The JavaScript payload silently collects browser fingerprint data (timezone, platform, user agent, automation signals) and POSTs it back to the C2, acting as a traffic distribution system to profile victims before delivering a follow-on payload. Developers are advised to treat unsolicited GitHub Discussion security alerts with extreme caution and always verify through official vendor channels.

Widespread GitHub Campaign Uses Fake VS Code Security Alerts...

Fake “Critical Vulnerability” Alerts at Scale #

Mass Targeting Through GitHub Discussions #