Fake Linux leader using Slack to con devs into giving up their secrets

Google Sites lure leads to bogus root certificate
Imagine getting asked to do something by a person in authority.

An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.

Open Source Security Foundation (OpenSSF) CTO Christopher Robinson told The Register that the social engineering campaign specifically targets TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation), two projects hosted by the Linux Foundation.

After posing as a trusted Linux Foundation community leader in Slack, the attacker tried to trick developers into clicking a phishing link hosted on Google Sites: https://sites[.]google[.]com/view/workspace-business/join.

The link imitates a legitimate Google Workspace sign-in flow but leads users into a fraudulent authentication process, prompting them to enter their credentials and then install a fake root certificate masquerading as a Google certificate.

The phony certificate is malware, and on macOS, it downloads and executes a binary (gapi) from a remote IP (2.26.97.61), while on Windows machines, it prompts installation of a malicious certificate via a browser trust dialog.

Other LF projects have faced similar social engineering-style efforts in the last several months.

This latest effort was very consistent with those
"Installing the certificate enables interception of encrypted traffic and credential theft," Robinson, who also serves as chief security architect of the Linux Foundation, said in an April 7 security advisory.

"Executing the binary may result in full system compromise."
Robinson declined to identify the Linux Foundation official being impersonated via Slack, and he told us that he doesn't know who is responsible for the credential-stealing attempts.

A Google spokesperson said that the cloud giant's security analysts are investigating this campaign, and have taken down the spoofed pages.

"This activity was a social engineering campaign that abused Google Sites to host a phishing page; it was not a security vulnerability or an underlying flaw within Google Workspace," a Google spokesperson told us.

"We continue to monitor for and mitigate this type of platform abuse to protect the broader ecosystem."
The spokesperson also noted that legitimate Google Workspace authentication will never require a user to manually install a root certificate or download a binary from a link to "verify" an account.

If you think you might have been compromised by this campaign, Robinson urges disconnecting from the network, removing all newly installed certificates, revoking active sessions and tokens, and rotating all credentials.

"This campaign highlights a growing trend: attackers are targeting developer workflows and trust relationships, not just software vulnerabilities," Robinson wrote in the security alert.

"Staying vigilant and verifying before acting are critical to protecting both individual environments and the broader open source ecosystem."
This social engineering attempt targeting LF projects follows two other high-profile attacks against open source developers in March.

First, attackers hit Trivy , a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines.

Later in the month, North Korea-linked attackers socially engineered an Axios maintainer, using a fake company and Slack workspace to compromise the maintainer's account and publish malicious versions of the open source JavaScript library containing a remote-access trojan.

"We are seeing more and more developers targeted by this type of activity," Cisco Talos outreach lead Nick Biasini told The Register in an earlier interview about the Trivy and Axios supply chain attacks.

"Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat," Biasini said.

®