A targeted phishing campaign has set its sights on developers within the open-source community by exploiting trust and existing collaboration channels. Attackers posed as a well-known Linux Foundation representative and approached victims via Slack with a request to join a seemingly legitimate platform.
The attack targeted, among others, participants in the TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation) projects. These are initiatives under the Linux Foundation umbrella that focus on open-source management and cloud-native technologies, respectively. By posing as trusted figures within these communities, the attackers built credibility and lured developers into clicking a link.
That link led to a page hosted via Google Sites that closely resembled a standard Google Workspace login interface. In reality, users were asked to provide their login credentials and then install a so-called security certificate. That certificate proved malicious, allowing the attacker to intercept encrypted traffic and gain access to sensitive information.
On macOS systems, an external file was downloaded and executed after installation, while Windows users were tricked into adding an untrusted certificate via a browser prompt. In both cases, this could lead to complete control over the victim’s system.
Social engineering is gaining ground in open source
According to Christopher Robinson of the Open Source Security Foundation, this approach is part of a broader trend in which the focus is not so much on exploiting software flaws as on human interactions and trust. He emphasized to The Register that installing such certificates opens the door to intercepting secure communications and that executing unknown files carries significant risks.
Google has since taken action and removed the relevant pages from the index. A company spokesperson stated that there is no vulnerability in Google Workspace itself, but that the platform was exploited to host phishing content. At the same time, Google emphasizes that users will never be asked to manually install certificates or download software as part of a normal verification procedure.
This campaign is not an isolated incident. In recent months, multiple attacks have targeted open-source projects and their developers. These attacks increasingly rely on social engineering to gain access to accounts or to distribute malicious code through trusted software chains.
Robinson advises organizations and individual developers to remain vigilant and always verify suspicious requests before taking any action. In cases where damage may already have been done, he recommends immediately disconnecting systems from the network, removing recently installed certificates, and renewing all access credentials.