A large-scale campaign is targeting developers on GitHub by posting fake Visual Studio Code security alerts in repository Discussions to trick users into downloading malware. The posts impersonate maintainers, include fake CVE IDs and external Google Drive links that redirect to drnatashachinn[.]com, which runs a JavaScript reconnaissance script to profile victims before delivering a second-stage payload. #VisualStudioCode #GitHub
Keypoints
- Attackers post fraudulent โSevere Vulnerabilityโ advisories in GitHub Discussions to trigger email notifications.
- Posts impersonate maintainers, include fake CVE IDs, and mass-tag users to create urgency and legitimacy.
- Links point to external hosting like Google Drive and redirect to drnatashachinn[.]com, which runs a JavaScript reconnaissance payload.
- The JavaScript collects timezone, locale, user agent, OS details, and automation indicators, then sends the data to a command-and-control as a TDS filtering step.
- Users should verify CVEs via NVD, CISA, or MITRE and watch for external download links, unverifiable IDs, and mass tagging before acting.