Cyber-crime Fake Linux leader using Slack to con devs into giving up their secrets Google Sites lure leads to bogus root certificate Jessica Lyons Mon 13 Apr 2026 // 18:48 UTC Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems. Open Source Security Foundation (OpenSSF) CTO Christopher Robinson told The Register that the social engineering campaign specifically targets TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation), two projects hosted by the Linux Foundation. TODO aims to help organizations share best practices and tools for managing open source initiatives, and CNCF supports cloud-native projects including Kubernetes, Envoy, and Prometheus. After posing as a trusted Linux Foundation community leader in Slack, the attacker tried to trick developers into clicking a phishing link hosted on Google Sites: https://sites[.]google[.]com/view/workspace-business/join. The link imitates a legitimate Google Workspace sign-in flow but leads users into a fraudulent authentication process, prompting them to enter their credentials and then install a fake root certificate masquerading as a Google certificate. The phony certificate is malware, and on macOS, it downloads and executes a binary (gapi) from a remote IP (2.26.97.61), while on Windows machines, it prompts installation of a malicious certificate via a browser trust dialog. Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those "Installing the certificate enables interception of encrypted traffic and credential theft," Robinson, who also serves as chief security architect of the Linux Foundation, said in an April 7 security advisory. "Executing the binary may result in full system compromise." Robinson declined to identify the Linux Foundation official being impersonated via Slack, and he told us that he doesn't know who is responsible for the credential-stealing attempts. "Based on the folks involved, it could be a targeted attack to leverage that person's reputation using social engineering," he told The Register . "Other LF projects have faced similar social engineering-style efforts in the last several months. This latest effort was very consistent with those, specifically the URL being shared." A Google spokesperson said that the cloud giant's security analysts are investigating this campaign, and have taken down the spoofed pages. "This activity was a social engineering campaign that abused Google Sites to host a phishing page; it was not a security vulnerability or an underlying flaw within Google Workspace," a Google spokesperson told us. "We continue to monitor for and mitigate this type of platform abuse to protect the broader ecosystem." The spokesperson also noted that legitimate Google Workspace authentication will never require a user to manually install a root certificate or download a binary from a link to "verify" an account. Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 1K+ cloud environments infected following Trivy supply chain attack If you think you might have been compromised by this campaign, Robinson urges disconnecting from the network, removing all newly installed certificates, revoking active sessions and tokens, and rotating all credentials. "This campaign highlights a growing trend: attackers are targeting developer workflows and trust relationships, not just software vulnerabilities," Robinson wrote in the security alert. "Staying vigilant and verifying before acting are critical to protecting both individual environments and the broader open source ecosystem." This social engineering attempt targeting LF projects follows two other high-profile attacks against open source developers in March. First, attackers hit Trivy , a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Later in the month, North Korea-linked attackers socially engineered an Axios maintainer, using a fake company and Slack workspace to compromise the maintainer's account and publish malicious versions of the open source JavaScript library containing a remote-access trojan. "We are seeing more and more developers targeted by this type of activity," Cisco Talos outreach lead Nick Biasini told The Register in an earlier interview about the Trivy and Axios supply chain attacks. "Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat," Biasini said. ® Share More about Cybercrime Google Cloud Linux Foundation More like these × More about Cybercrime Google Cloud Linux Foundation Open Source Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Digital Public Goods Encryption End Point Protection Exploit Firewall FOSDEM FOSS Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero GraphQL G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Jenkins Kenna Security Kubernetes MySQL NCSAM NCSC OpenInfra OpenOffice OpenStack Palo Alto Networks Password Personally Identifiable Information Phishing Pixel Privacy Sandbox Proxmox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Wikipedia WPF Xen Zero trust Broader topics Alphabet Linux Search Engine More about Share POST A COMMENT More about Cybercrime Google Cloud Linux Foundation More like these × More about Cybercrime Google Cloud Linux Foundation Open Source Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Digital Public Goods Encryption End Point Protection Exploit Firewall FOSDEM FOSS Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero GraphQL G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Jenkins Kenna Security Kubernetes MySQL NCSAM NCSC OpenInfra OpenOffice OpenStack Palo Alto Networks Password Personally Identifiable Information Phishing Pixel Privacy Sandbox Proxmox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Wikipedia WPF Xen Zero trust Broader topics Alphabet Linux Search Engine TIP US OFF Send us news