Fake Linux leader using Slack to con devs into giving up their secrets
(2026/04/13)
- Reference: 1776106124
- News link: https://www.theregister.co.uk/2026/04/13/linux_foundation_social_engineering/
- Source link:
Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.
Open Source Security Foundation (OpenSSF) CTO Christopher Robinson told The Register that the social engineering campaign specifically targets TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation), two projects hosted by the Linux Foundation.
TODO aims to help organizations share best practices and tools for managing open source initiatives, and CNCF supports cloud-native projects including Kubernetes, Envoy, and Prometheus.
[1]
After posing as a trusted Linux Foundation community leader in Slack, the attacker tried to trick developers into clicking a phishing link hosted on Google Sites: https://sites[.]google[.]com/view/workspace-business/join.
[2]
[3]
The link imitates a legitimate Google Workspace sign-in flow but leads users into a fraudulent authentication process, prompting them to enter their credentials and then install a fake root certificate masquerading as a Google certificate.
The phony certificate is malware, and on macOS, it downloads and executes a binary (gapi) from a remote IP (2.26.97.61), while on Windows machines, it prompts installation of a malicious certificate via a browser trust dialog.
Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those
"Installing the certificate enables interception of encrypted traffic and credential theft," Robinson, who also serves as chief security architect of the Linux Foundation, [4]said in an April 7 security advisory. "Executing the binary may result in full system compromise."
Robinson declined to identify the Linux Foundation official being impersonated via Slack, and he told us that he doesn't know who is responsible for the credential-stealing attempts.
[5]
"Based on the folks involved, it could be a targeted attack to leverage that person's reputation using social engineering," he told The Register . "Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those, specifically the URL being shared."
A Google spokesperson said that the cloud giant's security analysts are investigating this campaign, and have taken down the spoofed pages.
"This activity was a social engineering campaign that abused Google Sites to host a phishing page; it was not a security vulnerability or an underlying flaw within Google Workspace," a Google spokesperson told us. "We continue to monitor for and mitigate this type of platform abuse to protect the broader ecosystem."
[6]
The spokesperson also noted that legitimate Google Workspace authentication will never require a user to manually install a root certificate or download a binary from a link to "verify" an account.
[7]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
[8]Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines
[9]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
[10]1K+ cloud environments infected following Trivy supply chain attack
If you think you might have been compromised by this campaign, Robinson urges disconnecting from the network, removing all newly installed certificates, revoking active sessions and tokens, and rotating all credentials.
"This campaign highlights a growing trend: attackers are targeting developer workflows and trust relationships, not just software vulnerabilities," Robinson wrote in the security alert. "Staying vigilant and verifying before acting are critical to protecting both individual environments and the broader open source ecosystem."
This social engineering attempt targeting LF projects follows two other high-profile attacks against open source developers in March.
First, [11]attackers hit Trivy , a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Later in the month, North Korea-linked attackers socially engineered an [12]Axios maintainer, using a fake company and Slack workspace to compromise the maintainer's account and publish malicious versions of the open source JavaScript library containing a remote-access trojan.
"We are seeing more and more developers targeted by this type of activity," Cisco Talos outreach lead Nick Biasini [13]told The Register in an earlier interview about the Trivy and Axios supply chain attacks.
"Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat," Biasini said. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://lists.openssf-vuln.org/g/siren/message/7
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[8] https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
[9] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[10] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[11] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[12] https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
[13] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[14] https://whitepapers.theregister.com/
Open Source Security Foundation (OpenSSF) CTO Christopher Robinson told The Register that the social engineering campaign specifically targets TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation), two projects hosted by the Linux Foundation.
TODO aims to help organizations share best practices and tools for managing open source initiatives, and CNCF supports cloud-native projects including Kubernetes, Envoy, and Prometheus.
[1]
After posing as a trusted Linux Foundation community leader in Slack, the attacker tried to trick developers into clicking a phishing link hosted on Google Sites: https://sites[.]google[.]com/view/workspace-business/join.
[2]
[3]
The link imitates a legitimate Google Workspace sign-in flow but leads users into a fraudulent authentication process, prompting them to enter their credentials and then install a fake root certificate masquerading as a Google certificate.
The phony certificate is malware, and on macOS, it downloads and executes a binary (gapi) from a remote IP (2.26.97.61), while on Windows machines, it prompts installation of a malicious certificate via a browser trust dialog.
Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those
"Installing the certificate enables interception of encrypted traffic and credential theft," Robinson, who also serves as chief security architect of the Linux Foundation, [4]said in an April 7 security advisory. "Executing the binary may result in full system compromise."
Robinson declined to identify the Linux Foundation official being impersonated via Slack, and he told us that he doesn't know who is responsible for the credential-stealing attempts.
[5]
"Based on the folks involved, it could be a targeted attack to leverage that person's reputation using social engineering," he told The Register . "Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those, specifically the URL being shared."
A Google spokesperson said that the cloud giant's security analysts are investigating this campaign, and have taken down the spoofed pages.
"This activity was a social engineering campaign that abused Google Sites to host a phishing page; it was not a security vulnerability or an underlying flaw within Google Workspace," a Google spokesperson told us. "We continue to monitor for and mitigate this type of platform abuse to protect the broader ecosystem."
[6]
The spokesperson also noted that legitimate Google Workspace authentication will never require a user to manually install a root certificate or download a binary from a link to "verify" an account.
[7]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
[8]Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines
[9]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
[10]1K+ cloud environments infected following Trivy supply chain attack
If you think you might have been compromised by this campaign, Robinson urges disconnecting from the network, removing all newly installed certificates, revoking active sessions and tokens, and rotating all credentials.
"This campaign highlights a growing trend: attackers are targeting developer workflows and trust relationships, not just software vulnerabilities," Robinson wrote in the security alert. "Staying vigilant and verifying before acting are critical to protecting both individual environments and the broader open source ecosystem."
This social engineering attempt targeting LF projects follows two other high-profile attacks against open source developers in March.
First, [11]attackers hit Trivy , a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Later in the month, North Korea-linked attackers socially engineered an [12]Axios maintainer, using a fake company and Slack workspace to compromise the maintainer's account and publish malicious versions of the open source JavaScript library containing a remote-access trojan.
"We are seeing more and more developers targeted by this type of activity," Cisco Talos outreach lead Nick Biasini [13]told The Register in an earlier interview about the Trivy and Axios supply chain attacks.
"Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat," Biasini said. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://lists.openssf-vuln.org/g/siren/message/7
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhoaR0iJgOy4_7SBcrwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[8] https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
[9] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[10] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[11] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[12] https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
[13] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[14] https://whitepapers.theregister.com/
About this IP: 2.26.97.61
We have seen numerous compromise attempts from this IP range. And a couple more ranges: 2.26.112.0/24, 2.26.102.0/24.
The WHOIS registration information shows the same information: PLAY2GO. It seems to be more than a coincidence that we got so many stupid attempts from play2go IPs. Blocking them completely caused zero problems to us.