Fake Linux leader using Slack to con devs into giving up their secrets
Summary
An impersonator posing as a Linux Foundation community leader used Slack to trick developers working on TODO and CNCF projects into visiting a Google Sites phishing page. The page mimicked Google Workspace authentication, asked for credentials and prompted users to install a bogus root certificate that is actually malware. On macOS the certificate triggers a binary (gapi) download and execution from a remote IP; on Windows it prompts a malicious certificate installation. The Linux Foundation’s OpenSSF has issued an advisory; Google removed the spoofed pages and is investigating.
Key Points
- Attackers impersonated a trusted Linux Foundation official in Slack to target open-source developers.
- Phishing pages were hosted on Google Sites: the URL used was https://sites.google.com/view/workspace-business/join (spoofed).
- The fake flow asked for credentials and to install a root certificate, which is malicious and enables interception of encrypted traffic.
- macOS victims saw a binary (gapi) downloaded from a remote IP; Windows victims were prompted to trust a malicious certificate via the browser.
- Google removed the pages and clarified Workspace will never ask users to manually install root certificates to authenticate.
Content summary
The campaign specifically targeted contributors to TODO (Talk Openly, Develop Openly) and CNCF projects hosted by the Linux Foundation. After gaining a foothold in community Slack channels by impersonation, the attacker pushed a Google Sites link that mimicked the legitimate sign-in sequence. The subsequent request to install a root certificate is the key malicious step: once installed it allows man-in-the-middle interception, credential theft and — on macOS — execution of a downloaded binary that may lead to full system compromise.
OpenSSF CTO Christopher Robinson warned developers to disconnect from networks, remove newly installed certificates, revoke sessions and tokens, and rotate credentials if they suspect compromise. The incident is part of a wider trend of attackers targeting developer workflows and supply chains, following recent incidents affecting Trivy and an npm package used by many projects.
Context and relevance
This is important for anyone involved in open-source development, CI/CD or package maintenance. Attackers are increasingly focusing on trust relationships and developer tooling rather than exploiting only software vulnerabilities. If a malicious actor controls a developer’s environment or credentials they can push malware into widely used packages and pipelines, amplifying impact across the ecosystem.
Why should I read this
Look — if you touch open-source code, repos or CI pipelines, this directly matters. Don’t be the one who clicks a Slack link because it looks legit. Quick wins: never install a root cert from an unsolicited page, double-check URLs, verify requests inside the project channel, use hardware 2FA where possible, and rotate creds if you even sniff trouble. We read the detail so you don’t have to — but actually follow the fixes.