[{"data":1,"prerenderedAt":151},["ShallowReactive",2],{"article-slug-phishing-campaign-targets-open-source-devs-via-slack-and-google-sites":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":38,"sources":39,"events":64,"mitre_techniques":65,"mitre_mitigations":84,"d3fend_countermeasures":102,"iocs":115,"cyber_observables":116,"tags":137,"extract_datetime":141,"article_type":142,"impact_scope":143,"pub_date":43,"reading_time_minutes":150,"createdAt":141,"updatedAt":141},"87848c07-ecfd-4ba0-afd2-fcb71f2390fe","phishing-campaign-targets-open-source-devs-via-slack-and-google-sites","Open-Source Devs Targeted in Sophisticated Phishing Attack Using Slack and Google Sites","Phishing Campaign Impersonates Linux Foundation on Slack to Steal Developer Credentials and Install Malicious Certificates","A sophisticated social engineering campaign is targeting open-source developers on Slack, with attackers impersonating a Linux Foundation official to gain trust. Victims are lured to a fake login page hosted on Google Sites to harvest their credentials. The attack then escalates by tricking the developer into installing a fake 'security certificate,' which is a malicious root certificate enabling the attacker to intercept encrypted traffic. The campaign, which targets members of prominent projects like CNCF, highlights the increasing focus of threat actors on compromising developers as a gateway into the software supply chain.","## Executive Summary\nA highly targeted and sophisticated social engineering campaign is actively targeting developers in the open-source community. Attackers are using a combination of **[Slack](https://slack.com/)** impersonation and malicious pages hosted on **[Google Sites](https://sites.google.com)** to steal credentials and trick developers into installing malicious root certificates. The attackers pose as a known representative from the **[Linux Foundation](https://www.linuxfoundation.org/)** to build trust with members of communities like the **[Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/)**. This attack is particularly dangerous because successfully compromising a developer can provide a foothold for a much broader software supply chain attack. The Open Source Security Foundation (**[OpenSSF](httpshttps://openssf.org/)**) has issued warnings, advising developers to be extremely vigilant.\n\n## Threat Overview\nThe attack flow is a multi-stage social engineering effort designed to exploit trust within the open-source community.\n\n**Attack Chain:**\n1.  **Impersonation & Contact:** The attacker, posing as a Linux Foundation official, initiates a direct message conversation with a target developer on Slack.\n2.  **Lure:** The attacker provides a link, likely under the guise of collaboration or project verification, which directs the victim to a page created with Google Sites.\n3.  **Credential Theft:** The Google Sites page is a convincing replica of a Google Workspace login portal. The developer is prompted to enter their credentials, which are harvested by the attacker.\n4.  **Certificate Installation:** After stealing the credentials, the attack proceeds to a second stage. The user is prompted to install a \"security certificate\" to gain access. This is the most critical part of the attack.\n5.  **Man-in-the-Middle:** The installed \"certificate\" is a malicious root CA. With this installed on the developer's machine, the attacker can perform Man-in-the-Middle (MitM) attacks, intercepting and decrypting all of the victim's network traffic, including access to private code repositories, internal services, and other sensitive information.\n\nThe attack's payload varies by OS, with macOS versions downloading and executing additional malicious binaries.\n\n## Technical Analysis\nThis campaign masterfully combines several TTPs to bypass both technical and human defenses.\n- **Social Engineering:** [`T1649 - Social Engineering`](https://attack.mitre.org/techniques/T1649/) - The entire operation is built on impersonation and manipulation.\n- **Phishing: Spearphishing Link:** [`T1566.002 - Spearphishing Link`](https://attack.mitre.org/techniques/T1566/002/) - A targeted link is delivered via a trusted communication platform (Slack).\n- **Man-in-the-Middle: Rogue CA Certificate:** [`T1557.002 - Rogue CA Certificate`](https://attack.mitre.org/techniques/T1557/002/) - The ultimate goal is to install a malicious root certificate to intercept encrypted traffic. This is a highly effective and dangerous technique.\n- **Credentials from Web Browsers:** [`T1555.003 - Credentials from Web Browsers`](https://attack.mitre.org/techniques/T1555/003/) - The fake login page is designed to steal credentials stored in or entered into the browser.\n- **Command and Scripting Interpreter:** [`T1059 - Command and Scripting Interpreter`](https://attack.mitre.org/techniques/T1059/) - The macOS variant uses scripting to download and execute further payloads.\n\n## Impact Assessment\n- **Software Supply Chain Compromise:** The primary risk is a full-scale supply chain attack. A compromised developer could unknowingly commit malicious code to a widely used open-source project, affecting thousands or millions of downstream users.\n- **Intellectual Property Theft:** Attackers can steal proprietary code, API keys, and other sensitive data from the developer's machine and the organizations they work for.\n- **Wider Network Compromise:** The compromised developer's machine can be used as a beachhead to pivot into their employer's corporate network.\n- **Erosion of Trust:** Attacks like this can damage the collaborative and trust-based nature of the open-source community, making developers more hesitant to engage with new contacts.\n\n## Cyber Observables for Detection\nDetection focuses on identifying the installation of untrusted certificates and suspicious process chains.\n| Type | Value | Description |\n|---|---|---|\n| log_source | Certificate Store Logs | Monitor for the installation of new root Certificate Authorities on endpoints. This is a rare and highly privileged event. |\n| process_name | `security` (macOS) | On macOS, look for the `security add-trusted-cert` command being executed, especially by scripts or from a browser process. |\n| log_source | Browser History | Look for redirects to suspicious Google Sites URLs, especially if they are followed by a certificate download prompt. |\n| command_line_pattern | `curl ... | bash` | Monitor for shell commands that download and execute scripts from the internet, a common infection vector on Linux/macOS. |\n\n## Detection & Response\n- **D3FEND: Certificate Analysis:** Use endpoint security tools to continuously monitor the system's trusted root certificate store. Any addition should trigger a high-severity alert for immediate investigation. This is a direct application of [`D3-CA: Certificate Analysis`](https://d3fend.mitre.org/technique/d3f:CertificateAnalysis).\n- **D3FEND: Process Analysis:** On endpoints, monitor for suspicious process parent-child relationships. A browser process should not be spawning a shell script that then calls `security` or `certutil` commands to install a certificate. This is a key part of [`D3-PA: Process Analysis`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis).\n- **Network Level:** While the malicious certificate allows decryption, outbound connections to the attacker's C2 server can still be detected. Use network traffic analysis to look for connections to newly registered domains or known malicious IP addresses.\n\n## Mitigation\n- **User Training:** This is paramount. Developers must be educated about the specific risks of social engineering within their community. They should be taught to be skeptical of unsolicited DMs, even from apparently trusted individuals, and to verify requests through out-of-band channels. This aligns with [`M1017 - User Training`](https://attack.mitre.org/mitigations/M1017/).\n- **Endpoint Hardening:** Use Mobile Device Management (MDM) or other endpoint management tools to restrict the ability of standard users to install new root certificates. This action should be reserved for administrators and heavily audited.\n- **Phishing-Resistant MFA:** Encourage or enforce the use of phishing-resistant MFA (like FIDO2/WebAuthn) for critical services like code repositories (GitHub, GitLab) and corporate logins. This would have prevented the initial credential theft.\n- **D3FEND: Executable Denylisting:** While not directly applicable to the certificate itself, for the macOS variant, application control policies could prevent the execution of the unsigned binary downloaded by the script. This relates to [`D3-EDL: Executable Denylisting`](https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting).","⚠️ Devs BEWARE: A new phishing campaign on Slack impersonates the Linux Foundation to steal creds via Google Sites & install malicious root certs. The goal: full traffic interception. #Phishing #OpenSource #InfoSec #SupplyChainAttack","A sophisticated phishing campaign is targeting open-source developers on Slack and Google Sites, using social engineering to install malicious root certificates for man-in-the-middle attacks.",[13,14,15],"Phishing","Supply Chain Attack","Threat Actor","high",[18,22,25,27,30,32,35],{"name":19,"type":20,"url":21},"Linux Foundation","security_organization","https://www.linuxfoundation.org/",{"name":23,"type":20,"url":24},"Cloud Native Computing Foundation (CNCF)","https://www.cncf.io/",{"name":26,"type":20},"TODO (Talk Openly, Develop Openly)",{"name":28,"type":29},"Google Sites","product",{"name":31,"type":29},"Slack",{"name":33,"type":20,"url":34},"Open Source Security Foundation (OpenSSF)","https://openssf.org/",{"name":36,"type":37},"Google","vendor",[],[40,46,52,58],{"url":41,"title":42,"date":43,"friendly_name":44,"website":45},"https://www.techzine.eu/2026/04/14/attackers-are-targeting-developers-via-slack-and-google-sites/","Attackers are targeting developers via Slack and Google Sites","2026-04-14","Techzine","techzine.eu",{"url":47,"title":48,"date":49,"friendly_name":50,"website":51},"https://www.theregister.com/2026/04/13/linux_foundation_impersonation_phishing/","Fake Linux Foundation leader using Slack to phish devs","2026-04-13","The Register","theregister.com",{"url":53,"title":54,"date":55,"friendly_name":56,"website":57},"https://www.helpnetsecurity.com/2026/04/08/social-engineering-attacks-open-source-developers/","Social engineering attacks on open source developers are escalating","2026-04-08","Help Net Security","helpnetsecurity.com",{"url":59,"title":60,"date":61,"friendly_name":62,"website":63},"https://malware.news/t/social-engineering-attack-targets-open-source-developers-via-slack-impersonation/83287","Social Engineering Attack Targets Open Source Developers via Slack Impersonation","2026-04-09","Malware News","malware.news",[],[66,70,74,78,81],{"id":67,"name":68,"tactic":69},"T1566.002","Spearphishing Link","Initial Access",{"id":71,"name":72,"tactic":73},"T1557.002","Rogue CA Certificate","Credential Access",{"id":75,"name":76,"tactic":77},"T1059","Command and Scripting Interpreter","Execution",{"id":79,"name":80,"tactic":69},"T1649","Social Engineering",{"id":82,"name":83,"tactic":77},"T1204.002","Malicious File",[85,90,94,98],{"id":86,"name":87,"description":88,"domain":89},"M1017","User Training","Educate developers on the specific social engineering tactics used against them, including impersonation on community platforms like Slack.","enterprise",{"id":91,"name":92,"description":93,"domain":89},"M1032","Multi-factor Authentication","Implement phishing-resistant MFA (FIDO2) to protect accounts even if credentials are stolen.",{"id":95,"name":96,"description":97,"domain":89},"M1022","Restrict File and Directory Permissions","Use endpoint management to restrict users' ability to install new root certificates, a high-privilege action.",{"id":99,"name":100,"description":101,"domain":89},"M1021","Restrict Web-Based Content","Use web filtering to block access to known malicious domains and potentially categorize and warn on access to uncategorized hosting sites.",[103,109],{"technique_id":104,"technique_name":105,"url":106,"recommendation":107,"mitre_mitigation_id":108},"D3-CA","Certificate Analysis","https://d3fend.mitre.org/technique/d3f:CertificateAnalysis","The core of this attack is the installation of a malicious root certificate. Therefore, continuous monitoring of the trusted certificate stores on developer endpoints is the most direct and effective detective control. EDR (Endpoint Detection and Response) solutions or specialized configuration management tools should be configured to generate a high-priority, non-ignorable alert whenever a new root or intermediate certificate is added to any machine's trust store. This is not a normal user activity and should be treated as a potential compromise until proven otherwise. The alert should trigger an automated incident response workflow, which could include isolating the affected machine from the network and collecting forensic data. Security teams should maintain a 'golden image' or allowlist of approved root CAs for their environment, and any deviation should be investigated immediately. This proactive analysis turns a stealthy persistence mechanism into a loud alarm.","M1047",{"technique_id":110,"technique_name":111,"url":112,"recommendation":113,"mitre_mitigation_id":114},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","To detect the attack before the certificate is even installed, security teams should leverage Process Analysis on developer workstations. A key anomalous behavior in this attack is the process chain. A web browser (e.g., `chrome.exe`, `firefox.exe`) should not be the parent process for a command-line utility that modifies system security settings, such as `certutil.exe` on Windows or `security` on macOS. EDR tools should be configured with detection rules that specifically look for these suspicious parent-child process relationships. For example: `ParentProcess: chrome.exe -> ChildProcess: cmd.exe -> GrandchildProcess: certutil.exe -addstore root...`. This type of behavioral detection is highly effective at catching the execution phase of the attack, regardless of the specific malware or script being used. It focuses on the attacker's actions on the objective, providing a robust defense against this class of social engineering attacks.","M1049",[],[117,122,127,131],{"type":118,"value":119,"description":120,"context":121,"confidence":16},"event_id","Any change to Trusted Root Certificate Authorities store","The installation of a new root certificate is a very rare and highly suspicious event on a user endpoint and should be investigated immediately.","Windows Event Logs (CAPI2), EDR alerts, MDM audit logs",{"type":123,"value":124,"description":125,"context":126,"confidence":16},"command_line_pattern","security add-trusted-cert","On macOS, this command is used to add a certificate to the trusted store. Its execution by a non-administrator or via a script is highly suspect.","EDR, command-line logging",{"type":123,"value":128,"description":129,"context":130,"confidence":16},"certutil -addstore root","On Windows, this command adds a certificate to the root store. Its execution, especially from a browser or script process, is a major red flag.","EDR, PowerShell logging, command-line logging (Event ID 4688)",{"type":132,"value":133,"description":134,"context":135,"confidence":136},"url_pattern","sites.google.com/view/[long-random-string]","Attackers are abusing Google Sites for hosting. While the domain is legitimate, traffic to unfamiliar or suspicious-looking Google Sites pages from corporate environments warrants scrutiny.","Web proxy logs, DNS logs","medium",[13,80,138,19,31,28,139,140],"Open Source","Man-in-the-Middle","Root Certificate","2026-04-14T15:00:00.000Z","NewsArticle",{"geographic_scope":144,"industries_affected":145,"other_affected":148},"global",[146,147],"Technology","Other",[149],"open-source software users",7,1776260642898]