Full Report
A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware. [...]
Analysis Summary
# Tool/Technique: Malicious GitHub Discussion "Urgent Update" Campaign
## Overview
This is a large-scale, automated social engineering campaign targeting developers on GitHub. The attackers abuse the **GitHub Discussions** feature to post fake "Severe Vulnerability" advisories (impersonating VS Code security alerts). The goal is to trigger email notifications to repository watchers and trick them into downloading malicious payloads via a multi-stage redirection chain.
## Technical Details
- **Type**: Social Engineering / Traffic Distribution System (TDS) / Reconnaissance
- **Platform**: Cross-platform (Windows, macOS, Linux) via browser-based JavaScript
- **Capabilities**: Automated spamming, environment profiling, bot/researcher evasion, and delivery of secondary malware.
- **First Seen**: March 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566.002 - Phishing: Spearphishing Link** (Links in GitHub Discussions)
- **T1204.001 - User Execution: Malicious Link**
- **TA0007 - Discovery**
- **T1082 - System Information Discovery** (User-agent, OS)
- **T1614 - System Location Discovery** (Timezone/Locale)
- **TA0011 - Command and Control**
- **T1071.001 - Application Layer Protocol: Web Protocols** (HTTP POST for exfiltration)
## Functionality
### Core Capabilities
- **Automated Mass-Tagging**: Uses newly created or low-activity accounts to post identical alerts across thousands of repositories simultaneously, triggering GitHub’s native email notification system.
- **Impersonation**: Frequently uses the names/avatars of actual repository maintainers or well-known security researchers to gain trust.
- **Environment Discovery**: A JavaScript payload executes in the browser to collect:
- User-agent strings
- Operating System (OS) details
- Timezone and Locale
- Indicators for automation/sandboxing (to filter out bots).
### Advanced Features
- **Redirection Chain**: Uses a legitimate service (Google Drive) as an initial landing point to bypass basic URL filters, followed by a cookie-driven redirection to the final malicious domain.
- **Target Filtering (TDS)**: The initial JavaScript serves as a Traffic Distribution System, ensuring the final malware payload is only delivered to real human targets while evading automated security scanners.
## Indicators of Compromise
- **File Names**: Frequently referenced as "patched" VS Code extension installers (e.g., `.vsix` or executable wrappers).
- **Network Indicators**:
- `drnatashachinn[.]com` (JS Reconnaissance & C2)
- `drive[.]google[.]com` (Initial lure host)
- **Behavioral Indicators**:
- Unexpected POST requests to external domains following a Google Drive link click.
- Automated GitHub Discussion posts featuring urgent keywords: "Severe Vulnerability," "Immediate Update Required," or "CVE-202X-XXXX."
## Associated Threat Actors
- **Unknown**: Currently identified as a coordinated, large-scale operation, but not yet attributed to a specific named APT or e-crime group.
## Detection Methods
- **Behavioral Detection**: Monitor for unusual browser activity where a JS script immediately queries `Intl.DateTimeFormat().resolvedOptions().timeZone` or `navigator.userAgent` and sends it to an unknown TLD.
- **Network Detection**: Block/Flag traffic to known TDS domains associated with this campaign.
- **Email Security**: Flag GitHub notification emails that contain links to non-standard domains (Google Drive, Dropbox) for software updates.
## Mitigation Strategies
- **Verification**: Cross-reference any CVE mentioned in a GitHub Discussion with official sources (NVD, MITRE, or the CISA KEV catalog).
- **Verification of Channel**: Official VS Code extensions should only be updated via the **Visual Studio Marketplace** or the built-in VS Code "Extensions" tab—never via external Google Drive links.
- **Organization Policy**: Implement browser-level threat protection and restrict the execution of unverified scripts from unknown domains.
## Related Tools/Techniques
- **OAuth Hijacking**: Similar campaigns have used fake security alerts to trick developers into authorizing malicious GitHub OAuth apps.
- **Malicious Pull Requests**: Use of "automated" comments on PRs to distribute phishing links.