A large-scale phishing campaign is targeting developers on GitHub by posting fake Visual Studio Code security alerts in Discussions. Thousands of nearly identical posts, created by new or low-activity accounts, claim fabricated CVEs and urge developers to download a malicious 'patched' VS Code from external file-sharing links. Because GitHub Discussions trigger email notifications, the campaign reaches developers' inboxes too. Analysis of one payload reveals a multi-step redirection chain: GitHub Discussion → Google share endpoint → attacker-controlled C2 domain (drnatashachinn[.]com). The Google endpoint uses cookie detection to route real users to the C2 while serving a fingerprinting page to bots. The JavaScript payload silently collects browser fingerprint data (timezone, platform, user agent, automation signals) and POSTs it back to the C2, acting as a traffic distribution system to profile victims before delivering a follow-on payload. Developers are advised to treat unsolicited GitHub Discussion security alerts with extreme caution and always verify through official vendor channels.
Table of contents
CommentsFake “Critical Vulnerability” Alerts at Scale #Mass Targeting Through GitHub Discussions #External Links Deliver the Payload #Why This Works #What to Watch For #Sort: