A large-scale phishing campaign is currently targeting developers via GitHub. Attackers are exploiting the Discussions feature to spread fake security alerts about Visual Studio Code. The goal is to trick users into downloading malware.
The campaign is characterized by its large scale. Researchers at Socket report that thousands of nearly identical messages appear in various repositories within a short period of time, often within minutes. The messages originate from newly created or barely active accounts, indicating a highly automated attack. Because Discussions sends notifications via email to participants and followers, the messages also reach developers outside the platform. This increases the attack’s credibility and reach.
The fake posts masquerade as security advisories. They use alarming titles that mention vulnerabilities requiring immediate action. Fictitious CVE identifiers are often cited, along with specific versions of VS Code. In many cases, the attackers impersonate well-known maintainers or security researchers to instill additional trust. Users are urged to install a so-called updated version via an external download link.
Attackers post these messages on a large scale by opening discussions in various repositories. They use virtually the same text, sometimes with minor variations. In many cases, large numbers of developers are tagged simultaneously. This approach increases visibility and creates pressure to act quickly.
The malicious payload is not distributed directly via GitHub, but via external links, often to file-sharing services such as Google Drive. This deviates from the normal distribution of VS Code extensions, but because the services used are trusted, this is not always immediately noticeable. The links ultimately lead, via a chain of redirects, to an external infrastructure controlled by the attackers.
Attackers use profiling to select victims
Analysis shows that this infrastructure uses a JavaScript page that first profiles visitors. It collects data such as time zone, browser information, operating system, and indicators that may point to automated analysis. This information is automatically forwarded to a command-and-control server. The researchers conclude that this mechanism serves as a filtering layer to distinguish real victims from bots and security researchers.
It is notable that at this stage, no direct malware or phishing page is presented, nor are any login credentials collected. Instead, the attack appears to use a so-called traffic distribution system, in which victims are first analyzed before being directed to the next step. That next step may consist of a phishing page or exploit, but has not yet been observed.
The success of this campaign can be attributed to a combination of factors. GitHub is viewed by developers as a trustworthy environment, while security alerts evoke a sense of urgency. Additionally, Discussions are subject to less stringent moderation than advisories. Furthermore, by repeating messages on a large scale, a semblance of legitimacy is created.
Researchers warn developers to be vigilant about these types of messages. In particular, notifications that contain external download links, refer to unknown vulnerabilities, or originate from new accounts deserve extra scrutiny. The advice is to always verify security claims through official channels.
This campaign is not an isolated incident. Attackers have previously exploited GitHub’s notification system for similar attacks. In March 2025, a large-scale phishing campaign was discovered in which approximately 12,000 repositories were used to trick developers into authorizing a malicious OAuth app. In June 2024, GitHub’s email system was exploited via spam comments and pull requests to direct users to phishing pages.