A sophisticated social engineering campaign is actively targeting open source developers through Slack, weaponizing the trust relationships that define open source communities.
A high-severity advisory published on April 7 to the OpenSSF Siren mailing list details a multi-stage attack chain that begins with impersonation and culminates in full system compromise.
The attacker targeted the Slack workspace of the TODO Group, a Linux Foundation working group for open source program office (OSPO) practitioners.
Posing as a recognized Linux Foundation community leader, the threat actor sent direct messages pitching an exclusive AI tool that allegedly analyzes open-source project dynamics and predicts which contributions will be merged before review.
Victims were directed to a phishing URL hosted on Google Sites infrastructure (sites.google.com/view/workspace-business/join).
The domain passes casual visual inspection and can evade security filters that blocklist known malicious domains. The page walks victims through a fake authentication flow that harvests email addresses and verification codes.
After credential collection, the attack diverges by platform. On macOS, a script downloads and executes a binary named gapi from a remote IP address (2.26.97.61), potentially resulting in full system compromise.
On Windows, victims are prompted to install the malicious file via a browser trust dialog. In both cases, the payload is framed as a routine “Google certificate” installation, a workspace configuration step designed to appear benign while enabling interception of encrypted traffic.
The advisory was authored by Christopher “CRob” Robinson, CTO and Chief Security Architect at OpenSSF. The attacker’s Slack account has since been deactivated following the TODO Group administrators’ action on the circulating advisory.
Part of a Broader Pattern
The campaign follows a separate but similar attack reported last week targeting high-profile Node.js maintainers, including the leads of Fastify, Lodash, dotenv, and Node.js core, Socket stated in a technical report.
Mandiant researchers have linked that campaign to a DPRK-nexus threat actor using the same social engineering playbook that previously compromised Axios. Whether both campaigns share attribution remains unconfirmed.
OpenSSF Siren, the public threat intelligence mailing list that issued the advisory, was created specifically to address gaps exposed by incidents like the XZ Utils backdoor, providing a centralized channel for distributing active threat intelligence to developers and researchers downstream.
Indicators of Compromise
- Phishing URL:
https://sites.google.com/view/workspace-business/join - Fake email:
cra@nmail.biz - Access key:
CDRX-NM71E8T - Remote IP:
2.26.97.61 - Malicious macOS binary:
gapi
Mitigation:
OpenSSF recommends verifying any unexpected Slack outreach through a separate, known communication channel before taking action.
Developers should never install root certificates from links, avoid running downloaded binaries, or curl | bash-style commands, and treat urgent authentication prompts as suspicious until independently verified.
Anyone who may have been compromised should disconnect from the network immediately, remove newly installed certificates, rotate all credentials including GitHub tokens and SSH keys, revoke active sessions and run endpoint security scans.
Enabling multi-factor authentication on all developer and collaboration accounts is also strongly advised.
Follow us on LinkedIn to Get More Instant Updates.
No Comment! Be the first one.