Fake Linux Leader Using Slack to Con Devs Into Giving up Their Secrets

The open‑source community is now a prime target for credential‑theft campaigns that exploit trusted communication channels. In early April, a threat actor posing as a Linux Foundation community leader sent a Slack message to developers working on the TODO and CNCF projects, directing them to a Google Sites page that copied the Google Workspace sign‑in flow. The page asked users to install a root certificate and then download a binary named gapi. By leveraging a familiar brand and a legitimate‑looking URL, the attackers bypassed typical phishing filters and gained a foothold in developers’ environments.

The malicious root certificate creates a man‑in‑the‑middle tunnel, allowing the adversary to decrypt HTTPS traffic and harvest credentials. On macOS the installed certificate triggers the download of the gapi binary from IP 2.26.97.61, which executes with user privileges; Windows victims receive a browser‑trust prompt to install the same certificate. This technique mirrors recent supply‑chain intrusions, such as the Trivy vulnerability scanner compromise and the Axios maintainer breach, underscoring a shift from exploiting code flaws to compromising the people and workflows that deliver open‑source software.

Defending against such social‑engineering attacks requires a layered approach. Organizations should enforce multi‑factor authentication, restrict the installation of new root certificates, and educate developers to verify any request for credential entry or certificate installation, especially when delivered via informal channels like Slack. The Linux Foundation’s advisory recommends immediate network isolation, removal of unknown certificates, token revocation, and credential rotation. As attackers continue to weaponize trust relationships, the broader open‑source ecosystem must adopt stricter identity‑verification practices and continuous monitoring to preserve the integrity of critical infrastructure.