Fake VS Code Alerts on GitHub Are Installing Malware on Developer Machines

How Developers Get Targeted

The attackers exploit a feature of GitHub Discussions: when a post is created, all repository participants and watchers receive email notifications. This means the malicious content arrives directly in developers' inboxes, lending it the appearance of a legitimate project notification.

In many cases, the threat actors impersonate real code maintainers or security researchers to create a false sense of authority. The posts tag large numbers of unrelated users to maximize the reach of each fake advisory.

When a developer clicks the link in the fake advisory, they are redirected through a cookie driven chain to an external domain that runs a JavaScript reconnaissance script. This script collects the visitor's timezone, locale, user agent, operating system details, and automation indicators before sending the data to a command server via a POST request.

What the Malware Does

The reconnaissance stage functions as a traffic distribution system. It filters out bots, security researchers, and automated scanners while identifying legitimate developer targets for the next stage of the attack. Validated targets are then directed to download what appears to be a patched version of a VS Code extension, hosted on services like Google Drive.

The payload itself varies, but the delivery mechanism is consistent: fake security urgency drives the developer to install something they believe is a legitimate update. Because developers often have elevated system privileges and access to source code repositories, CI/CD pipelines, and cloud credentials, a compromised developer machine can become a gateway to an organization's entire infrastructure.

Why This Attack Works

The campaign exploits a trust gap in the developer workflow. Developers are trained to take security advisories seriously and to patch vulnerabilities quickly. The attackers weaponize that discipline by creating urgency around a fabricated vulnerability. The psychology is effective: a developer who sees a critical CVE affecting their project's dependencies will act fast, and that speed is exactly what the attackers are counting on.

This is part of a broader trend of supply chain attacks targeting developers. The North Korean VS Code malware campaign discovered earlier this month used a different vector (malicious project files) but the same fundamental strategy: exploit developer trust in their tools.

How to Protect Yourself

Before acting on any security advisory posted to GitHub Discussions:

• Verify CVE identifiers against authoritative sources: the National Vulnerability Database (NVD), CISA's Known Exploited Vulnerabilities catalog, or MITRE's CVE database
• Check the posting account's history. Newly created accounts with no prior activity are a red flag
• Never download VS Code extensions or updates from external links. Always use the official VS Code marketplace or Microsoft's update channel
• Be suspicious of mass user tagging in Discussions posts. Legitimate maintainers rarely tag dozens of unrelated users
• Report suspicious Discussions directly to GitHub for review and removal

The most effective defense is a deliberate pause. When a security alert creates urgency, take 30 seconds to verify it through a second source before clicking anything. That brief delay can prevent a compromise that takes weeks to clean up.