Open source developers are being targeted by a sophisticated social engineering campaign that impersonates a Linux Foundation leader on Slack. The attackers are using this fake persona to trick developers into downloading malware, highlighting the growing reliance on trust within these close-knit communities.
The campaign, brought to light on April 7, 2026, by the Open Source Security Foundation (OpenSSF), specifically targeted the Slack workspace of the TODO Group, a Linux Foundation working group for open source program office (OSPO) practitioners, and related open source communities. Attackers meticulously crafted a fake identity of a well-known Linux Foundation leader, leveraging this persona to send direct messages containing a phishing link. This link, hosted on Google Sites, was designed to appear legitimate, aiming to bypass the suspicion of even security-aware developers.
Hackers Impersonate Linux Foundation Leader in Slack to Target Open Source Developers
The attack was first detailed by Socket.dev analysts, who examined its technical execution and confirmed it as a calculated, multi-stage operation. The threat actors exploited the inherent trust within open source communities by posing as a respected figure. Their proposition involved an exclusive private AI tool capable of analyzing open source project dynamics and predicting code contribution merge success before reviewer evaluation.
The attacker’s message emphasized exclusivity, stating the tool was being shared with only a select few. To enhance the deception, the message included a fake email address and an access key, creating a semblance of legitimacy for the fraudulent workspace. Upon clicking the phishing link, victims were presented with a fraudulent authentication flow, designed to harvest their email addresses and a verification code.
The Infection Mechanism Uncovered
Following credential theft, the phishing site directed victims to install what was falsely advertised as a “Google certificate.” In reality, this was a malicious root certificate. Once installed, this certificate allowed the attacker to silently intercept encrypted web traffic between the victim’s device and any website accessed. This capability set the stage for the most damaging phase of the attack, which then diverged based on the victim’s operating system.
The platform-specific nature of the malware delivery demonstrates a high degree of engineering. On macOS, after the malicious root certificate was installed, a script automatically downloaded and executed a binary named gapi from the remote IP address 2.26.97.61. The execution of this binary granted the attacker potential full control over the compromised device. This included the ability to access files, exfiltrate further credentials, and issue remote commands.
On Windows systems, victims encountered a browser trust dialog prompting them to install the malicious certificate. Once accepted, this enabled the same encrypted traffic interception capabilities. Across both operating systems, the attack followed a four-stage progression: impersonation, phishing, credential harvesting, and ultimately, malware delivery. Each stage was meticulously designed to deepen the attacker’s access within the victim’s environment.
In response to this threat, OpenSSF has issued recommendations for developers active in open source Slack communities. Verifying identities out-of-band is paramount; developers should never solely rely on Slack display names or profile photos for authentication and should confirm unusual requests through separate, known communication channels. The installation of root certificates via chat messages or emails should always be treated as a suspicious activity, unless explicitly directed by an organization’s IT department. Furthermore, enabling multi-factor authentication (MFA) on all developer and collaboration accounts is strongly advised. While MFA does not prevent impersonation, it significantly mitigates the potential damage if credentials are compromised.
Indicators of Compromise (IoCs) identified include the phishing URL https://sites.google.com/view/workspace-business/join, the fake email address [email protected], the access key CDRX-NM71E8T, the remote command and control (C2) IP address 2.26.97.61, and the malicious macOS binary gapi.
The ongoing nature of such social engineering attacks underscores the need for continuous vigilance within digital collaboration spaces. Developers are encouraged to stay updated on emerging threats and to follow security advisories issued by organizations like OpenSSF to protect themselves and their projects. The investigation into the full scope and impact of this particular campaign is ongoing, with further analysis expected from cybersecurity researchers.