Cybercriminals are impersonating Linux Foundation officials on Slack to trick open-source developers into compromising their own systems. The campaign specifically targets members of the CNCF and TODO projects, according to security experts.
Attackers use a fraudulent Google Sites page to mimic a legitimate Google Workspace sign-in process. Once developers enter their credentials, the site prompts them to install a fake root certificate masquerading as a Google security measure.
Installing this certificate allows attackers to intercept encrypted traffic and steal sensitive information. On macOS systems, the attack also triggers the download of a malicious binary named 'gapi' from a remote IP address.
Targeted social engineering
Christopher Robinson, CTO of the Open Source Security Foundation (OpenSSF) and chief security architect of the Linux Foundation, identified the campaign as a targeted social engineering effort. He noted that the attack relies on the established reputation of Linux Foundation community leaders to gain trust.
"Installing the certificate enables interception of encrypted traffic and credential theft," Robinson said in a recent security advisory. "Executing the binary may result in full system compromise."
Robinson added that other Linux Foundation projects have faced similar social engineering attempts over the last several months. He noted that the URL structure used in this latest attack is consistent with previous efforts.
Google confirmed it is investigating the misuse of its platform. A spokesperson stated that the company has taken down the spoofed pages and clarified that the incident was an abuse of Google Sites rather than a vulnerability in Google Workspace.
Google also warned users that legitimate authentication processes will never require the manual installation of a root certificate or the downloading of a binary to verify an account.
