phishing campaign

Blogs Security Advisory

Open Source Developers are Targeted in an active Social Engineering Campaign via Slack

Threat Actors impersonating as Linux Foundation leader in an active social engineering campaign targeting open source developers via Slack.

Now, a fresh Open Source Security Foundation (OpenSSF) advisory warns unknown attackers are using a similar approach to target other open source developers.

The human connection has been leveraged to target software.

The attackers interacted via Slack or social media platform LinkedIn, posing as company owners/representatives, job recruiters, or podcast hosts, and tried to lure developers into downloading malware mimicking as a videoconferencing software update, a type of phishing campaign.

Key facts

  • Attackers impersonated a Linux Foundation leader in Slack to target open source developers.
  • Victims were tricked into entering credentials and installing a malicious “Google certificate.”
  • The phishing campaign used AI-themed lures and legitimate services like Google Sites to appear credible.
  • Attack techniques varied by operating system, enabling interception of encrypted traffic on both macOS and Windows.
  • Security experts urge developers to verify identities and avoid installing unsolicited certificates or running unknown scripts.

Crafting of attack via social engineering

First step, attackers began with a scheming social engineering ploy

They joined Slack workspaces linked to the Linux Foundation’s TODO Group and then imitated a trusted community figure and sent direct messages to developers which looked like any legitimate invite – complete with a Google Sites link, fake email address and exclusive “access key” – to test a purported AI tool for predicting open source contribution acceptance.

Second step, once a victim clicked, they landed on a phishing page impersonating a Slack workspace invitation, prompting them to enter their email and a verification code. Instructions came in form to install what was described as a “Google certificate” from attackers side.

This was basically a malicious root certificate that allowed attackers the ability to intercept and read encrypted traffic – a devastating breach of privacy and security.

The attack module is sophisticated did not end there.

Consecutively on macOS, a script silently downloaded and executed a binary called “gapi,” potentially opening the door to full system compromise.

Windows users faced a browser-based certificate installation, equally effective at undermining secure communications. The attackers’ use of trusted infrastructure such as Google Sites allowed them to evade basic security checks and blend in with legitimate traffic.

Changing attack scenario in social engineering

Now open sources developers have become prime targets, with recent campaigns also hitting maintainers of projects like Fastify, Lodash, and Node.js.

Posing as the Linux Foundation leader, the attacker described how an AI tool can analyze open source project dynamics and predict which code contributions .

The attack was first brought to public attention on April 7, 2026, posted to the OpenSSF Siren mailing list by Christopher “CRob” Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF).

Focus Shift from code repositories to human connections

Attackers now confidently targeting not only code repositories and networks that expanded over trust, but exploiting the personal trust networks that underpin open source collaboration. The expansion of open source ecosystem reminds to be more vigilant as attackers are evolving tactics and developers must now defend code and connections both.

The OpenSSF advisory :

The OpenSSF urges heightened vigilance: always verify identities through separate channels, never install certificates from untrusted sources, and treat unexpected security prompts with skepticism. If compromise is suspected, immediate network isolation and credential rotation are critical.

Sources: Social engineering attacks on open source developers are escalating – Help Net Security

Security Advisory

Phishing Crusade Targeted approx 12,000 GitHub Repositories; Victims directed to “gitsecurityapp”

A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories with phony security alerts, reported BleepingComputers.

The alerts, opened as issues on the repositories, inform users of unauthorized login attempts and provide links to change their passwords, review active sessions, or set up MFA.

If a user clicks any of these links, they’ll be taken to a GitHub authorization page for an OAuth app that will grant the attacker control of the account.

The campaign is ongoing, though GitHub appears to be responding to the attacks.

Users were directed to all links within the message to a GitHub authorization page for a malicious OAuth application called “gitsecurityapp.” If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.

This consistent messaging across all affected repositories aims to create a sense of urgency and panic, prompting developers to take immediate action.

The fraudulent alert directs users to update their passwords, review active sessions, and enable two-factor authentication. However, these links lead to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp.”

Upon authorization, an access token is generated and sent to various web pages hosted on onrender.com, granting the attacker full control.

(Image courtesy: Bleeping Computers)

The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.

Pointers Developers to take key inputs from this incident.

Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories.

If those logs had been public, then the attacker would have been able to steal the secrets.

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes as per threat researchers.

Key pointers for User saftey:

  • For users who have mistakenly authorized the malicious OAuth app revoking access to suspicious OAuth apps through GitHub’s settings.
  • Affected users should review their repository workflows, check for unauthorized private gists, and rotate their credentials to prevent further damage.
  • This attack highlights the increasing threat of phishing campaigns targeting GitHub users.
  • As GitHub continues to investigate and respond, developers must remain vigilant and verify any security alerts before taking action.
  • Rotate your credentials and authorization tokens.

 Wiz suggests that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories.

If double-encoded base64 payloads are found in workflow logs, this should be taken as a confirmation their secrets were leaked.

Developers should immediately remove all references to affected actions across branches, delete workflow logs, and rotate any potentially exposed secrets.

(Sourece: Bleeping computers)

News Security Advisory

Analysis of WezRat Malware; Check point Findings

New CheckPoint research discovered a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Continue Reading
Scroll to top