Fake VS Code Alerts on GitHub Spread Malware to Developers

A coordinated malware campaign is abusing GitHub Discussions to flood developer inboxes with fabricated Visual Studio Code security alerts. The ongoing attack, which surfaced at scale on March 25, 2026, bypasses traditional spam filters by leveraging GitHub’s native notification system. Attackers are posting fake vulnerability advisories that urge developers to download an emergency patch. Because these alerts originate from legitimate repository discussion threads, they inherit GitHub’s domain reputation and reach repository watchers directly.

Attack Mechanics

The campaign relies on mass automation to deploy thousands of identical posts across unrelated repositories within minutes. Attackers use newly created or dormant accounts to initiate discussions with titles like “Visual Studio Code: Severe Vulnerability, Immediate Update Required.”

The posts include fabricated metadata to simulate an authentic security advisory. Attackers reference fake identifiers like CVE-2026-25784-91046. They claim the vulnerability affects a broad range of VS Code versions, typically listing 1.0.0-1.112.4 as vulnerable. The goal is to maximize the perceived blast radius and prompt immediate action from Windows, macOS, and Linux developers.

The advisories direct targets to download an updated version or extension via external file-sharing links. The primary delivery mechanism relies on URLs hosted on Google Drive.

Fingerprinting and Payload Delivery

Security analysts at Socket tracked the external links to a multi-step redirection chain. Attackers are routing traffic through serverless environments, specifically Vercel and Cloudflare Workers.

The redirection chain acts as a Traffic Distribution System (TDS). It executes an obfuscated JavaScript reconnaissance script to evaluate the visitor’s browser. The script collects system timezone, locale, operating system, and User Agent data. It also checks for automation signals to evade security researchers and automated sandbox environments.

Targets who pass the viability check receive the final payload. This consists of data-stealing malware and reconnaissance tools tailored to the developer’s operating system. If you manage infrastructure or credentials, this initial foothold often precedes broader network compromise or multi-step cyberattacks.

Infrastructure Abuse Patterns

This event continues a clear trend of threat actors utilizing legitimate developer platforms for malware distribution. The technique exploits the inherent trust developers place in system notifications.

Campaign Date	Attack Vector	Target Scope
June 2024	Spam comments and pull requests	Targeted developers via GitHub email triggers
March 2025	Fake repository alerts	12,000 repositories targeted for malicious OAuth authorization
March 2026	Automated GitHub Discussions	Thousands of repositories flooded with fake VS Code patches

The scale of the March 2026 event highlights the difficulty of filtering authenticated platform traffic. While GitHub removes automated spam accounts upon detection, the initial notification emails are delivered to developers’ inboxes before the accounts are flagged. Similar tactics have been observed in other recent platform abuses, such as the Glassworm campaign that exploited commit metadata.

When evaluating security alerts in issue trackers or discussions, verify the referenced CVE directly in the National Vulnerability Database or MITRE catalog. Never download IDE patches or updates from external file-sharing services. Rely exclusively on the built-in update mechanism within Visual Studio Code or the official Microsoft domains for all software upgrades.