Cybercriminals are impersonating Linux Foundation officials to steal developer credentials through fake Google Sites pages and malicious certificates.
A sophisticated phishing campaign is targeting open source developers by impersonating Linux Foundation officials and using Google Sites to steal credentials and compromise systems.
The Attack Vector
The attackers pose as trusted Linux Foundation community leaders in Slack, specifically targeting developers working on TODO (Talk Openly, Develop Openly) and CNCF (Cloud Native Computing Foundation) projects. These projects support critical open source initiatives including Kubernetes, Envoy, and Prometheus.
When developers interact with the impersonated official, they receive a phishing link hosted on Google Sites: https://sites[.]google[.]com/view/workspace-business/join. The page mimics a legitimate Google Workspace sign-in flow but leads to a fraudulent authentication process.
The Malware Delivery
After entering their credentials, victims are prompted to install a fake root certificate masquerading as a Google certificate. This phony certificate is actually malware that enables encrypted traffic interception and credential theft.
On macOS systems, the attack downloads and executes a binary named "gapi" from remote IP address 2.26.97.61. Windows machines receive a malicious certificate installation prompt through the browser trust dialog.
Security Response
Christopher Robinson, CTO of the Open Source Security Foundation and chief security architect of the Linux Foundation, issued a security advisory on April 7 warning about the campaign. He emphasized that "installing the certificate enables interception of encrypted traffic and credential theft" and that "executing the binary may result in full system compromise."
Google has taken down the spoofed pages after investigating the campaign. A Google spokesperson stated that this was "a social engineering campaign that abused Google Sites to host a phishing page" rather than a security vulnerability in Google Workspace.
Broader Context
This attack follows a pattern of increasingly sophisticated targeting of open source developers. In March alone, two other high-profile attacks hit the open source community:
- Trivy, a vulnerability scanner with over 100,000 users, was compromised
- North Korea-linked attackers socially engineered an Axios maintainer to publish malicious versions containing remote-access trojans
Cisco Talos outreach lead Nick Biasini noted that "attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data."
Protection Measures
If you suspect compromise, Robinson recommends:
- Disconnecting from the network immediately
- Removing all newly installed certificates
- Revoking active sessions and tokens
- Rotating all credentials
This campaign highlights a growing trend where attackers target developer workflows and trust relationships rather than software vulnerabilities. As Robinson wrote in the security alert, "staying vigilant and verifying before acting are critical to protecting both individual environments and the broader open source ecosystem."
The attack demonstrates how cybercriminals are increasingly exploiting trusted platforms and social engineering to compromise the software supply chain, making it essential for developers to verify communications and be cautious of unexpected requests, even from seemingly authoritative sources.
Comments
Please log in or register to join the discussion