A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the Discussions section of various projects, to trick users into downloading malware.

The spammy posts are crafted as vulnerability advisories and use realistic titles like “Severe Vulnerability — Immediate Update Required,” often including fake CVE IDs and urgent language.

In many cases, the threat actor impersonates real code maintainers or researchers for a false sense of legitimacy.