OpenSSF Flags Malware Campaign on Slack Posing as Linux Foundation Figures

OpenSSF’s recent advisory underscores a growing trend: cybercriminals exploiting collaboration tools like Slack to infiltrate the open‑source ecosystem. By masquerading as trusted Linux Foundation figures, the attackers leverage the credibility of community leaders to bypass initial skepticism. The phishing lure—a “secret AI tool” that predicts code acceptance—plays on developers’ appetite for efficiency, making the social engineering vector especially potent in niche professional workspaces such as the TODO Group.

Technically, the campaign hinges on a malicious root certificate that grants attackers unfettered access to encrypted traffic and system resources. On macOS, the payload delivers a file named "gapi" capable of full system takeover, while Windows targets users with a prompt to install a counterfeit certificate. This dual‑OS approach mirrors earlier attacks on Node.js contributors, suggesting a modular playbook refined by North Korean state‑sponsored actors. The use of a Google‑styled landing page adds legitimacy, further blurring the line between legitimate cloud services and malicious infrastructure.

For developers and organizations, the incident is a reminder to enforce strict verification protocols: never trust unsolicited messages, especially those requesting certificate installations or credential entry. Enabling multi‑factor authentication, employing email and domain authentication standards, and educating teams about impersonation tactics are essential defenses. As open‑source projects continue to form the backbone of modern software, safeguarding the channels through which contributors communicate is critical to maintaining the integrity of the broader software supply chain.