Fake Linux Foundation leader using Slack to con devs into handing over secrets

April 13, 2026
aisecuritylawmobile
Businessman using messaging app on laptop in modern office, engaging in team collaboration.
Photo by Mikhail Nilov on Pexels

The scam

It has been reported that an unknown attacker impersonated a Linux Foundation community leader in Slack and lured open‑source maintainers into a Google Sites phishing page: https://sites[.]google[.]com/view/workspace-business/join. The campaign specifically targeted TODO (Talk Openly, Develop Openly) and CNCF projects, asking developers to follow what looked like a Workspace sign‑in flow — and then to install what was presented as a Google root certificate. Trust exploited. Confidence weaponized.

How the lure worked

According to the Linux Foundation’s OpenSSF CTO Christopher Robinson, the fake sign‑in flow prompted users to enter credentials and then install a root certificate that is allegedly malicious. On macOS the certificate installation reportedly downloads and executes a binary named gapi from 2.26.97.61; Windows users are allegedly shown a browser dialog to add the bogus certificate. “Installing the certificate enables interception of encrypted traffic and credential theft,” Robinson warned, and “executing the binary may result in full system compromise.” A Google spokesperson said the company has removed the spoofed pages and described the incident as platform abuse rather than a Workspace vulnerability, reminding users legitimate Google auth will never ask you to install a root cert or run a binary to verify an account.

Why this matters

This isn’t just another phishing email. It has been reported that attackers are now zeroing in on trust networks — developer workflows, contributor reputations, project communities — because that’s where real power hides. The emotional punch here is simple: developers expect to be able to trust messages from their peers and leaders. When that trust is broken, the damage ripples through supply‑chains and cloud projects. Robinson urges anyone who might be affected to disconnect, remove newly installed certificates, revoke sessions and tokens, and rotate credentials. Who do you trust when the mask looks identical to the person you know? Stay suspicious.

Sources: The Register