Linux Foundation Leader Impersonated in Slack Attack on Open Source Developers

A social engineering campaign is actively targeting open source developers through Slack.

The warning was shared through the OpenSSF Siren mailing list, a public threat intelligence platform designed to alert developers and security teams about active threats after initial disclosure.

The advisory was authored by Christopher “CRob” Robinson, CTO and Chief Security Architect at OpenSSF.

The campaign relies on a carefully crafted social engineering chain that unfolds in multiple stages. Attackers infiltrate Slack communities, particularly those linked to the Linux Foundation’s TODO Group, and impersonate well-known figures to gain trust.

A trusted Linux Foundation community leader on Slack, according to a high-severity advisory released on April 7 by the Open Source Security Foundation (OpenSSF).

The phishing page mimics a workspace invitation and prompts users to enter their email and a verification code. Once credentials are captured, the victim is instructed to install what is presented as a “Google certificate.”

In reality, this is a malicious root certificate designed to intercept encrypted traffic.

Victims receive direct messages containing a link hosted on Google Sites, which appears legitimate at first glance.

The attack then diverges based on the victim’s operating system. On macOS, a script downloads and executes a binary named “gapi” from a remote server, potentially leading to full system compromise.

On Windows, users are guided through a browser-based certificate installation process, enabling similar traffic interception.

AI-Themed Lure Used

In at least one observed case, the attacker used an AI-related pitch to entice the victim. Posing as a Linux Foundation leader, the attacker claimed to be developing a private tool capable of predicting which open source contributions would be accepted before review.

The message emphasized exclusivity, stating the tool was only being shared with a select group. It included a phishing link, a fake email address, and an access key to enhance credibility.

Security researchers noted that the attacker’s Slack account has since been deactivated, likely following detection by workspace administrators.

This campaign highlights how attackers are increasingly exploiting the trust-based nature of open source ecosystems. Developers often collaborate with known community members, making impersonation attacks particularly effective.

The use of legitimate infrastructure, such as Google Sites, further increases the likelihood of success by bypassing basic security checks and avoiding suspicion.

Researchers also point to a broader trend of targeting high-value open source contributors. Similar campaigns have recently focused on maintainers of widely used projects like Fastify, Lodash, and Node.js.

Some of these attacks have been linked to threat actors with ties to North Korea, although attribution in this case remains unclear.

Mitigations

OpenSSF advises developers and contributors to adopt stricter verification practices when interacting on Slack and similar platforms:

  • Verify identities through separate communication channels before acting on requests.
  • Avoid installing certificates from unsolicited links.
  • Do not execute unknown scripts or binaries, especially those delivered via messaging platforms.
  • Treat unexpected authentication or security prompts with caution.

If compromise is suspected, users should immediately disconnect from networks, remove any installed certificates, run security scans, and rotate all credentials, including GitHub accounts, SSH keys, and cloud access tokens.

This campaign underscores a growing shift in attacker strategy: instead of targeting code directly, threat actors are increasingly focusing on the developers behind it.

Related Articles

Back to top button