social engineering campaign

Blogs Security Advisory

Open Source Developers are Targeted in an active Social Engineering Campaign via Slack

Threat Actors impersonating as Linux Foundation leader in an active social engineering campaign targeting open source developers via Slack.

Now, a fresh Open Source Security Foundation (OpenSSF) advisory warns unknown attackers are using a similar approach to target other open source developers.

The human connection has been leveraged to target software.

The attackers interacted via Slack or social media platform LinkedIn, posing as company owners/representatives, job recruiters, or podcast hosts, and tried to lure developers into downloading malware mimicking as a videoconferencing software update, a type of phishing campaign.

Key facts

  • Attackers impersonated a Linux Foundation leader in Slack to target open source developers.
  • Victims were tricked into entering credentials and installing a malicious “Google certificate.”
  • The phishing campaign used AI-themed lures and legitimate services like Google Sites to appear credible.
  • Attack techniques varied by operating system, enabling interception of encrypted traffic on both macOS and Windows.
  • Security experts urge developers to verify identities and avoid installing unsolicited certificates or running unknown scripts.

Crafting of attack via social engineering

First step, attackers began with a scheming social engineering ploy

They joined Slack workspaces linked to the Linux Foundation’s TODO Group and then imitated a trusted community figure and sent direct messages to developers which looked like any legitimate invite – complete with a Google Sites link, fake email address and exclusive “access key” – to test a purported AI tool for predicting open source contribution acceptance.

Second step, once a victim clicked, they landed on a phishing page impersonating a Slack workspace invitation, prompting them to enter their email and a verification code. Instructions came in form to install what was described as a “Google certificate” from attackers side.

This was basically a malicious root certificate that allowed attackers the ability to intercept and read encrypted traffic – a devastating breach of privacy and security.

The attack module is sophisticated did not end there.

Consecutively on macOS, a script silently downloaded and executed a binary called “gapi,” potentially opening the door to full system compromise.

Windows users faced a browser-based certificate installation, equally effective at undermining secure communications. The attackers’ use of trusted infrastructure such as Google Sites allowed them to evade basic security checks and blend in with legitimate traffic.

Changing attack scenario in social engineering

Now open sources developers have become prime targets, with recent campaigns also hitting maintainers of projects like Fastify, Lodash, and Node.js.

Posing as the Linux Foundation leader, the attacker described how an AI tool can analyze open source project dynamics and predict which code contributions .

The attack was first brought to public attention on April 7, 2026, posted to the OpenSSF Siren mailing list by Christopher “CRob” Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF).

Focus Shift from code repositories to human connections

Attackers now confidently targeting not only code repositories and networks that expanded over trust, but exploiting the personal trust networks that underpin open source collaboration. The expansion of open source ecosystem reminds to be more vigilant as attackers are evolving tactics and developers must now defend code and connections both.

The OpenSSF advisory :

The OpenSSF urges heightened vigilance: always verify identities through separate channels, never install certificates from untrusted sources, and treat unexpected security prompts with skepticism. If compromise is suspected, immediate network isolation and credential rotation are critical.

Sources: Social engineering attacks on open source developers are escalating – Help Net Security

Blogs

Cyber Campaign by Hacker’s on Microsoft teams invites to execute “device code phishing” attacks 

Microsoft Teams have been on top of prime targets by threat actors and this time a Cyber campaign by Storm-2372 a hacking group targeted Microsoft Teams, a platform where collaboration and meeting is most sought after while inviting for meeting and executing “device code phishing” attacks.

The cyber campaign targets governments, NGOs, IT services, defense, telecommunications, health, education, and energy sectors across Europe, North America, Africa, and the Middle East. Microsoft Threat Intelligence team has rounded up and hardened the Teams environment, with countermeasures and controls across identity, endpoints, and network layers.

“It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support,” Microsoft explains.

Prime Target of Hackers

The attack pattern reveal type of social engineering campaign, which often combines a traditional email spam campaign with Microsoft Teams-based manipulation.

The primary target of hackers is to use convincing pretexts to compromise targets through chat messaging or phone calls. But for actual compromise and initial access on Teams, hackers will need to deliver information-stealing malware, which leads to credential theft, extortion, and ransomware.

As Microsoft Team is popular it is also a carrier of Malware which are mostly information stealing. Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency.

Not one but many hacking groups have previously targeted Microsoft teams of which Russian hackers from Midnight Blizzard have been imitating security and tech support teams. The hackers urging targets to “verify their identities under the pretext of protecting their accounts by entering authentication codes.”

Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency. These emails prompt recipients to authenticate using the provided device code on Microsoft’s legitimate login page.

The threat actor targets the victim, allows him to complete authentication then intercepts the access and refresh tokens generated during the process. 

(Image courtesy: Cybersecuritynews.com)

Threat Mitigation strategies:

  • Any suspicious activity if detected, revoke user refresh tokens using revokeSignInSessions.
  • Important to Enforce MFA and block risky sign-ins based on user behavior.
  • FIDO tokens or passkeys instead of SMS-based MFA must be adopted
  • Integrate streamlined monitoring and response with on-premises directories .

The attackers’ intent was to convince users to download the remote monitoring and management (RMM) tool, AnyDesk, which would give them initial access to the target environment with the ultimate aim of deploying ransomware.

Scroll to top