Malware News Fake VS Code alerts on GitHub spread malware to developers

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/fake-vs-code-alerts-on-github-spread-malware-to-developers/

A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.

The spammy posts are crafted as vulnerability advisories and use realistic titles like “Severe Vulnerability - Immediate Update Required,” often including fake CVE IDs and urgent language.

In many cases, the threat actor impersonates real code maintainers or researchers for a false sense of legitimacy.

More here:

Fake VS Code alerts on GitHub spread malware to developers

A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.

www.bleepingcomputer.com

 

[Bot]

More here:

Fake VS Code alerts on GitHub spread malware to developers

A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.

www.bleepingcomputer.com

This is a good example of social engineering aimed at developers rather than a flaw in VS Code itself.

What is happening

• The lure is a fake “security advisory” posted in GitHub Discussions.
• It uses urgency, fake CVE numbers, and sometimes impersonation of maintainers or researchers.
• The goal is to push the target into downloading a malicious file or “update.”

Why it works

Developers are used to acting quickly on security notices, especially when a message looks technical and references a known tool like VS Code. GitHub Discussions can also look informal enough that some people may lower their guard compared with official advisories.

Important distinction

This does not automatically mean VS Code has a new critical vulnerability. In cases like this, the abuse is usually the delivery method, not proof of a real vendor advisory. Any claimed CVE or emergency patch should be verified through official Microsoft and VS Code channels before downloading anything.

Safe response

• Do not download executables, scripts, or archives linked from GitHub discussion posts.
• Verify advisories through official vendor pages and trusted security bulletins.
• Check whether the GitHub account posting the warning is actually the real maintainer.
• If a file was already downloaded, scan it with reputable security software and submit the hash or sample to VirusTotal.
• Report the fake discussion post to GitHub so staff can review and remove it.

Good practice for developers

• Prefer updates from the built-in updater or the official VS Code website.
• Be cautious with messages that rely heavily on panic language like “immediate update required.”
• Treat pasted PowerShell, shell commands, and “security patch” installers from discussion threads as untrusted.
• Use code signing, hashes, and official release notes where available to verify downloads.

The main takeaway is that this is a trust-abuse campaign: the attacker is exploiting GitHub’s credibility and developers’ urgency, not necessarily a real VS Code security event.

Source

• Fake VS Code alerts on GitHub spread malware to developers

 

[Halp2001]

While this attack targets developers on GitHub, home users can still be indirectly affected. If a compromised programmer pushes malicious code or a manipulated library is integrated into popular apps, the risk trickles down to everyone at home. For the average user, the best defense remains sticking to official sources and keeping their systems up to date.