Widespread GitHub Campaign Uses Fake VS Code Security Alerts to Deliver Malware
A widespread phishing campaign is exploiting GitHub Discussions to distribute fake Visual Studio Code security alerts to developers. The campaign uses fabricated CVEs and mass-tagging to trick Windows users into clicking malicious share.google links, which redirect to a JavaScript fingerprinting and Traffic Distribution System (TDS) hosted on an attacker-controlled domain.
Source:
Socket
- domaindrnatashachinn[.]comAttacker-controlled Command and Control (C2) and Traffic Distribution System (TDS) endpoint that serves the JavaScript fingerprinting payload.
- urlhxxps://share[.]google/fsdfMWqdXuz1RnQ3wMalicious redirect link distributed in fake GitHub security advisories.
- urlhxxps://share[.]google/yUtxD9cPL5ShQyUMJMalicious redirect link distributed in fake GitHub security advisories.
Key Takeaways
- Attackers are mass-posting fake Visual Studio Code security alerts in GitHub Discussions to target developers.
- The campaign leverages GitHub's notification system to send phishing emails directly to developers' inboxes, using mass @mentions.
- Malicious links use Google's share.google endpoint to redirect users to an attacker-controlled domain (drnatashachinn.com).
- The initial payload is an obfuscated JavaScript Traffic Distribution System (TDS) that fingerprints victims before potential further exploitation.
- The campaign specifically targets Windows users and uses fabricated CVE numbers (e.g., CVE-2026-25784-91046) to create a false sense of urgency.
Affected Systems
- Windows
- Windows 10
- Windows 11
- Visual Studio Code (VS Code)
- GitHub
Vulnerabilities (CVEs)
- Fabricated CVE-2026-25784-91046
- Fabricated CVE-2026-75691-43025
- Fabricated CVE-2026-35648-82915
- Fabricated CVE-2026-50463-39847
- Fabricated CVE-2026-60584-21736
Attack Chain
Attackers mass-create GitHub Discussions claiming a critical vulnerability in VS Code, tagging numerous developers to trigger email notifications. The posts contain a share.google link disguised as a security patch for Windows. When clicked by a user with an active Google session, the link performs a 301 redirect to an attacker-controlled domain (drnatashachinn.com). This domain serves an obfuscated JavaScript payload that fingerprints the victim's browser and environment, acting as a Traffic Distribution System (TDS) to filter targets before potential follow-on payload delivery.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules (YARA, Sigma, etc.) are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — The initial stages of this attack are entirely web-based and rely on social engineering. EDR will not have visibility into the GitHub discussion or the web redirect unless endpoint web filtering/network inspection is active. Network Visibility: Medium — Network logs and web proxies can capture the HTTP 301 redirect from share.google to the specific C2 domain, as well as the subsequent POST request containing fingerprinting data. Detection Difficulty: Moderate — Detection relies on spotting the specific C2 domain or unusual share.google links in corporate traffic, as well as user reporting of suspicious GitHub notifications. The use of legitimate services (GitHub, Google) complicates network-level blocking.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Email Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users are clicking on malicious share.google links originating from GitHub notification emails, leading to redirects to unknown or suspicious domains. | Web Proxy Logs, Email Gateway Logs | Initial Access | Medium |
| Endpoints are communicating with drnatashachinn.com via HTTP POST requests containing base64 encoded or obfuscated fingerprinting data. | Network Traffic Logs, Web Proxy Logs | Discovery / Command and Control | Low |
Control Gaps
- GitHub native spam and malicious link filtering in Discussions
- Email filtering for GitHub notifications containing malicious redirects
Key Behavioral Indicators
- HTTP 301 redirects from share.google to drnatashachinn.com
- POST requests to drnatashachinn.com with automated form submissions
- Presence of fabricated CVEs (e.g., CVE-2026-*) in GitHub notification emails
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the domain drnatashachinn.com at the network perimeter and DNS level.
- Block the specific share.google URLs identified in the IOCs.
Infrastructure Hardening
- Implement strict web filtering to inspect and potentially block unverified file-sharing links from corporate networks.
User Protection
- Deploy browser extensions or endpoint web protection to block known malicious TDS domains and phishing sites.
Security Awareness
- Educate developers to verify VS Code updates only through the official application or Microsoft's official channels.
- Warn developers about the ongoing GitHub Discussions phishing campaign, the use of fake CVEs, and the danger of unsolicited mass-tags.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1583.001 - Acquire Infrastructure: Domains
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1082 - System Information Discovery
- T1027 - Obfuscated Files or Information