Fake VS Code Alerts on GitHub Spread Malware to Developers

Thousands of Fake Security Alerts Are Hitting GitHub Right Now

If you got an email about a "Severe Vulnerability - Immediate Update Required" in VS Code, hold up. That alert is probably fake - and clicking it could compromise your machine.

Application security firm Socket confirmed this week that a large-scale, automated campaign is spamming GitHub Discussions across thousands of repositories with bogus VS Code vulnerability advisories. The posts use fake CVE IDs, impersonate real maintainers and researchers, and are blasted out from newly created or dormant accounts within minutes of each other.

Because GitHub Discussions trigger email notifications to repository watchers and tagged users, these posts land directly in developer inboxes - making them look far more legitimate than a random phishing link.

How the Attack Chain Works

The posts direct victims to "patched" VS Code extensions hosted on Google Drive - not the official VS Code Marketplace. Here is what happens after you click:

• A cookie-driven redirect chain sends you to drnatashachinn[.]com
• A JavaScript reconnaissance payload runs on your machine
• It collects your timezone, locale, user agent, OS details, and bot-detection signals
• All of that gets exfiltrated to a command-and-control server via POST request
• Validated human targets are then served a second-stage payload (content still unknown)

The JS layer acts as a traffic distribution system - it filters out bots and researchers so only real developers get hit with the next stage. Socket did not capture what that second stage delivers, but the profiling step alone is a serious red flag.

Why Developers Are the Target

Developers are high-value. Compromising a dev machine can mean access to source code, cloud credentials, CI/CD pipelines, and private keys. This is not random spray-and-pray - it is a supply chain entry point.

This campaign also follows a pattern. In March 2025, 12,000 GitHub repos were targeted with fake alerts pushing a malicious OAuth app. In June 2024, spam pull requests were used to redirect devs to phishing pages. GitHub's notification system keeps getting weaponized.

How to Not Get Burned

• Never download VS Code extensions from Google Drive - only use the official VS Code Marketplace or verified publisher sites
• Verify any CVE against authoritative sources: NVD, MITRE CVE, or CISA's KEV catalog
• Check the account posting the alert - newly created or low-activity accounts posting urgent advisories are a massive red flag
• Ignore mass-tagged posts where you and dozens of unrelated users are pinged simultaneously
• Set GitHub notification filters to reduce noise from repositories you do not actively contribute to
• Treat any security alert that links to an external file host as suspicious by default

When in doubt, go to the official repository directly - do not follow links from notification emails.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.