An automated social engineering campaign is weaponizing GitHub’s Discussion notification system to deliver fabricated VS Code vulnerability alerts citing non-existent CVE identifiers, directing developers to Google Drive-hosted payloads that profile and selectively infect developer workstations. The first-stage JavaScript implant actively evades sandbox analysis, and the second-stage payload remains uncharacterized as of reporting, meaning full capability disclosure is unknown. Successful compromise of a developer workstation creates direct access to source code, CI/CD pipeline secrets, and internal systems; organizations should alert all developers immediately, treat any Google Drive download originating from a GitHub Discussion link as high-confidence suspicious, and isolate any workstation where a payload was executed pending forensic triage.