Critical VSCode Webview Vulnerability Exposes GitHub OAuth Tokens in One Click On June 2, 2026, security researcher Ammar Askar publicly disclosed a severe vulnerability in Visual Studio Code’s (VSCode) webview implementation that allows attackers to steal GitHub OAuth tokens granting full read/write access to a victim’s private repositories with a single malicious link click. The flaw affects both the browser-based github.dev editor and the desktop version of VSCode, though the latter requires the victim to open a malicious repository. ### How the Exploit Works The attack exploits VSCode’s webview security model, which isolates untrusted content in sandboxed `<iframe>` elements. However, a design flaw in the `Window.postMessage()` API used to forward keyboard events between webviews and the main editor enables malicious JavaScript to simulate keystrokes. By chaining five VSCode behaviors, an attacker can: 1. Trigger arbitrary JavaScript via a malicious Jupyter Notebook (`.ipynb`) file or a crafted `.vscode/extensions.json` file. 2. Silently install a malicious extension by dispatching a synthetic `Ctrl+Shift+A` keystroke to bypass notification prompts. 3. Bypass publisher trust checks by placing the extension in the local `.vscode/extensions/` directory, exploiting github.dev’s default "trusted workspace" setting. 4. Access the preloaded GitHub OAuth token, which is unscoped and grants access to all of a user’s repositories not just the opened one. 5. Exfiltrate the token and repository list via API requests to `api.github.com`, enabling full control over private code. On github.dev, the attack requires no further interaction beyond the initial link click. On the desktop version, the exploit can escalate to Remote Code Execution (RCE) due to VSCode extensions’ unrestricted Node.js API access. ### Impact and Mitigations The vulnerability poses a significant risk, as stolen OAuth tokens allow attackers to read, modify, or push code to any private repository the victim can access. Since github.dev lacks CSRF protections, any external link can redirect users into the attack. Temporary mitigations include: - Clearing github.dev site data in browsers to re-enable a warning dialog. - Avoiding untrusted github.dev links until a patch is released. - Auditing and removing unrecognized extensions in github.dev. ### Defense-in-Depth Limitations VSCode’s security measures, such as strict Content Security Policies (CSP) and DOMPurify for Markdown sanitization, partially contained the exploit’s scope. However, Askar’s full disclosure published without prior coordination with Microsoft highlights persistent concerns about the MSRC’s vulnerability handling. GitHub was notified one hour before the public release.

Malicious npm Package Exposes Attacker’s GitHub Token in Supply Chain Threat Researchers at OX Security uncovered a malicious npm package, mouse5212-super-formatter, designed to steal sensitive files while posing as a legitimate development tool. The package, which has been downloaded 676 times and remains active on npm, highlights the rise of low-effort yet effective supply chain attacks. Disguised as an "archive deployment sync" utility, the malware performs superficial GitHub repository validation and network diagnostics during installation. However, its true function is far more intrusive: it authenticates to GitHub using either an environment token or a hardcoded fallback token embedded in the code. Once active, it scans the local `/mnt/user-data` directory, encodes files in base64, and uploads them to a remote GitHub repository via the Contents API. The stolen data is organized into unique folders per execution, while fake diagnostic logs mask its malicious activity. A critical error by the attacker embedding a private GitHub token in the malware allowed researchers to trace exfiltration activity to the operator’s repository. Approximately seven active data theft sessions were observed, most likely test runs before broader deployment. The GitHub account used in the campaign was created just hours before the package’s publication and was deleted shortly after discovery, though the npm package remains accessible. The malware’s focus on the `/mnt/user-data` directory suggests targeting of development environments, containerized workloads, or cloud-based systems. OX Security’s analysis revealed generic code comments and commit messages, likely AI-generated to evade detection during casual inspection. This incident underscores a growing trend of AI-assisted malware development, where attackers rapidly generate malicious code but often overlook basic security practices. While such threats may lack sophistication, they can still inflict significant damage, particularly in software supply chains. The exposure of the attacker’s infrastructure due to poor token management demonstrates how operational flaws can aid defenders in tracking and mitigating these campaigns.

Sophisticated npm Supply Chain Attack Targets OpenSearch, ElasticSearch, and DevOps Tools A recently uncovered npm supply chain attack has targeted developers working with OpenSearch, ElasticSearch, and DevOps tooling, stealing cloud credentials and CI/CD secrets from compromised systems. The campaign, attributed to a threat actor using the alias vpmdhaj, involved 14 malicious packages published on May 28, 2026, within a four-hour window. The attackers employed typosquatting and metadata spoofing, mimicking legitimate libraries with names like opensearch-setup and elastic-opensearch-helper while falsely linking to the official OpenSearch GitHub repository. To appear credible, the packages were assigned inflated version numbers, suggesting maturity and widespread use. Upon installation, the malicious packages executed code via npm preinstall scripts, triggering automatically without user interaction. The attack employed a two-stage payload system: - Early versions used a JavaScript stager to collect system details (hostname, OS, Node.js version, environment variables) and send them to a command-and-control (C2) server. The server responded with a compressed binary payload, identifiable by the “X-Supply: 1” HTTP header in network logs. - Later variants improved stealth by eliminating direct C2 communication, instead downloading the Bun runtime from GitHub to execute an embedded second-stage payload. This reduced suspicious outbound traffic and evaded traditional detection. The second-stage payload, a Bun-compiled binary, targeted credentials across multiple platforms, including: - Amazon Web Services (AWS) – Extracting environment variables, querying EC2 Instance Metadata Service and ECS task metadata, and enumerating secrets in AWS Secrets Manager. - HashiCorp Vault – Harvesting tokens. - GitHub Actions & npm – Validating publish tokens to hijack package maintainers and propagate further supply chain attacks. A persistence mechanism ensured the payload re-executed whenever the malicious module was imported, allowing it to survive across development cycles and CI/CD pipeline runs. The impact of the campaign is severe: - Stolen AWS credentials could enable lateral movement in cloud environments. - Compromised CI/CD tokens may allow attackers to manipulate build pipelines or inject malicious code into production. - Hijacked npm publish tokens pose a risk of malicious updates to legitimate packages, expanding the attack’s reach. Following responsible disclosure, the malicious packages and associated accounts were removed from the npm registry. However, organizations that installed these dependencies remain at risk. Security teams are urged to audit systems for affected packages, rotate exposed credentials, and monitor for indicators of compromise, including the “X-Supply: 1” header and unusual CloudTrail activity. The incident underscores the growing sophistication of supply chain attacks, where trusted ecosystems like npm are exploited to gain access to sensitive cloud and development infrastructure.

Sophisticated "Mini Shai-Hulud" Supply Chain Attack Targets @antv npm Ecosystem A newly uncovered supply chain attack, dubbed Mini Shai-Hulud, compromised the @antv npm ecosystem a widely used collection of data visualization libraries with devastating precision. The campaign, discovered by Microsoft security researchers, exploited a maintainer account to publish malicious versions of popular packages, including echarts-for-react, which boasts over one million weekly downloads. The attack spread rapidly, infecting thousands of developer pipelines within hours. The payload, a 499 KB obfuscated JavaScript file, executed automatically during `npm install`, targeting GitHub Actions environments to steal credentials from cloud services like AWS, HashiCorp Vault, Kubernetes, npm, and 1Password. It bypassed standard secret masking by scraping process memory directly from GitHub Actions runners. To evade detection, the malware employed two layers of obfuscation Base64-encoded strings and a custom cipher using PBKDF2 and SHA-256 and exited immediately if not running in a GitHub Actions Linux environment. Data exfiltration occurred via encrypted HTTPS to a command-and-control domain or through GitHub’s Git Data API, creating commits in victim repositories. GitHub responded by removing 640 malicious packages and invalidating over 61,000 npm tokens. The @antv maintainers confirmed the breach has been resolved, though Microsoft advises developers to audit dependency trees, rotate exposed credentials, and check for unexpected public repositories created during the attack window. Indicators of compromise include the malicious payload’s SHA-256 hashes (a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c and fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142) and the domain t.m-kosche[.]com:443. The attack highlights the growing threat of supply chain compromises in open-source ecosystems.

GitHub Actions Workflow Compromised in Supply Chain Attack Threat actors have executed a software supply chain attack by compromising the popular GitHub Actions workflow actions-cool/issues-helper, injecting malicious code to harvest sensitive credentials from CI/CD pipelines. Security firm StepSecurity discovered that all existing tags in the repository were redirected to an "imposter commit" a deceptive tactic where malicious code is inserted via an attacker-controlled fork, bypassing standard pull request reviews. The malicious commit, executed within GitHub Actions runners, performs the following actions: - Downloads the Bun JavaScript runtime to the runner. - Extracts credentials from the Runner.Worker process memory. - Exfiltrates stolen data via HTTPS to an attacker-controlled domain (t.m-kosche[.]com). A second GitHub action, actions-cool/maintain-one-comment, was also compromised, with 15 tags altered to include the same malicious functionality. GitHub has since disabled access to the repository for violating its terms of service, though the exact reason remains unclear. The exfiltration domain has been linked to the Mini Shai-Hulud campaign, which recently targeted npm packages in the @antv ecosystem, suggesting a potential connection between the two incidents. Threat intelligence firm Socket confirmed the overlap, indicating the attacks are likely part of the same activity cluster, though the initial access vector remains under investigation. Workflows referencing the compromised actions by version tag will automatically pull the malicious code on their next run. Only those pinned to a known-good full commit SHA remain unaffected.

Nx Console VS Code Extension Compromised in Sophisticated Supply Chain Attack In May 2026, attackers hijacked the widely used Nx Console Visual Studio Code extension, turning it into a credential-stealing tool that exposed millions of developers. The malicious version (18.95.0) of the extension installed over 2.2 million times was published to the official VS Code Marketplace on May 18 using stolen credentials. The attack unfolded in stages, beginning with an earlier breach that compromised a contributor’s GitHub personal access token. At 03:18 UTC, the attacker pushed an orphan commit to the nrwl/nx repository, replacing its contents with just two files: a package.json and an obfuscated index.js payload. By 12:36 UTC, the malicious extension was live, injecting a 2,777-byte backdoor into its main.js file. The payload activated the moment a developer opened any workspace. Within 11 minutes, the Nx team detected and removed the compromised version, but the damage was already done. The malware targeted a broad range of credentials, including tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, as well as Claude AI coding assistant configurations one of the first known supply chain attacks to exploit AI tooling. Stolen data was exfiltrated via HTTPS, GitHub API abuse, and DNS tunneling, ensuring redundancy if one channel was blocked. On macOS, the payload installed a persistent Python backdoor (~/.local/share/kitty/cat.py) that checked in hourly for new commands, signed with a 4096-bit RSA key. The malware also employed anti-analysis techniques, avoiding execution on machines with fewer than four CPU cores or those in Russian/CIS time zones to evade detection. The attack leveraged Sigstore integration, allowing the attacker to forge cryptographically signed npm packages using stolen OIDC tokens, making malicious packages appear legitimate. Security firm StepSecurity confirmed this was the second supply chain incident targeting the Nx ecosystem in a year. Developers who installed version 18.95.0 and opened a workspace between 12:36 and 12:47 UTC on May 18 should assume all credentials on the affected machine were compromised. The Nx team released a patched version (18.100.0) and provided indicators of compromise (IoCs) for detection, including file hashes, Git commit SHAs, and exfiltration endpoints.

Massive "Megalodon" Attack Targets 5,500+ GitHub Repositories in Automated Campaign On May 18, 2026, cybersecurity firm SafeDep uncovered a large-scale automated attack dubbed "Megalodon", which compromised 5,561 GitHub repositories by pushing 5,718 malicious code updates within a six-hour window. The campaign, detected using SafeDep’s Malysis scanning tool, embedded hidden backdoors in otherwise legitimate files, evading initial detection. Attackers leveraged fake GitHub accounts with randomized eight-character names and disguised their activity by mimicking official automated services, using sender identities like build-bot@, auto-ci@, and pipeline-bot@. The operation coincided with a separate breach by TeamPCP, which compromised 3,800 repositories via a malicious VS Code extension, highlighting a broader trend of targeting developers. ### Two Stealthy Attack Methods The Megalodon campaign employed two primary techniques: 1. SysDiag – Added a malicious `.github/workflows/ci.yml` file that triggered a data-stealing script whenever a developer updated their project. 2. Optimize-Build – Replaced existing system files with dormant backdoors, activated later via the GitHub API to avoid detection. ### Major Victim: Tiledesk The attack heavily impacted Tiledesk, a live chat and chatbot service. Hackers compromised nine of its GitHub repositories, leading the developer to unknowingly publish seven infected versions of its `@tiledesk/tiledesk-server` package (v2.18.6–2.18.12) to npm between May 19–21, 2026. ### Data Theft & Cloud Credential Harvesting Once executed, the malware ran an 111-line background script, exfiltrating sensitive data to a command-and-control (C2) server at 216.126.225.129:8443. The stolen information included: - Cloud credentials (AWS, Google Cloud, Microsoft Azure) - System logs, code files, and 30 types of private keys - GitHub Actions tokens, allowing attackers to impersonate legitimate workflows and gain unauthorized access to linked cloud environments. The incident underscores the growing sophistication of supply-chain attacks targeting open-source ecosystems, with developers and organizations facing heightened risks from automated, large-scale breaches.

Grafana Discloses GitHub Breach After Extortion Attempt by CoinbaseCartel Grafana recently revealed that an unauthorized party gained access to its GitHub environment using a compromised token, allowing the attacker to download the company’s codebase. The incident, discovered "recently," did not expose customer data or disrupt operations, according to Grafana’s statement on X. The company swiftly invalidated the compromised credentials, conducted a forensic investigation, and implemented additional security measures to prevent further unauthorized access. The attacker attempted to extort Grafana, demanding payment to prevent the stolen data from being published. Grafana refused, citing FBI guidance against ransom payments, which warns that such transactions fail to guarantee data recovery and embolden cybercriminals. The breach has not been linked to a specific threat actor, though reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion group that emerged in September 2025. CoinbaseCartel, assessed as an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$, specializes in data theft and extortion rather than traditional ransomware. The group has targeted 170 victims across sectors including healthcare, technology, and manufacturing. While Grafana has not disclosed which codebase was accessed, its portfolio includes solutions like Grafana Cloud, a managed observability platform. The incident follows a recent controversial decision by Instructure, an edtech firm, to pay ShinyHunters after the group threatened to leak terabytes of data from U.S. schools and universities. Grafana has not provided further details on the timeline of the breach or the attacker’s access duration.

GitHub Confirms Internal Source Code Breach by TeamPCP Threat Actor A cybercriminal group known as TeamPCP has claimed responsibility for breaching GitHub’s internal systems, allegedly stealing proprietary data, including source code from approximately 4,000 private repositories. The threat actor announced the breach via a post on X (formerly Twitter), asserting access to sensitive internal assets tied to GitHub’s core platform. GitHub acknowledged the incident in a public statement, confirming unauthorized access to its internal repositories while emphasizing that customer data remains unaffected. The company is actively investigating the scope and impact of the breach. The incident highlights ongoing risks to software supply chains, as threat actors increasingly target development environments to exploit vulnerabilities or extract intellectual property. No further details on the attack vector or potential motives have been disclosed.

GitHub Token Leak Exposes PHP Projects to Credential Theft A recent format change in GitHub’s authentication tokens has triggered a critical security flaw, exposing thousands of PHP projects to potential credential theft. The issue, discovered in late April 2026, stems from GitHub’s rollout of a new, variable-length token format that includes hyphens a character not recognized by Composer’s validation system. When Composer encountered the updated tokens, its regex validation failed, causing the tool to log the full, unredacted tokens in error logs instead of masking them. This vulnerability affects projects using Composer in GitHub Actions workflows, particularly those leveraging the widely adopted shivammathur/setup-php action, which automatically registers these tokens in Composer’s global authentication settings. The risk varies by runner type: tokens on GitHub-hosted runners expire within 6 hours, while those on self-hosted runners remain valid for up to 24 hours. Since GitHub App tokens may carry broad permissions, exposed credentials could grant attackers significant access to repositories and CI/CD pipelines. On May 13, 2026, GitHub temporarily reverted the token format change to halt further exposure, providing a brief window for developers to patch their systems. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 (for legacy systems) now include fixes that relax validation rules and prevent token leakage in logs. Packagist confirmed that packagist.org and Private Packagist were unaffected, with the latter already mitigating the issue. The incident underscores the risks of parsing or validating secrets against rigid assumptions, as evolving platform standards can introduce unforeseen vulnerabilities. Developers are advised to audit recent GitHub Actions logs for exposed tokens and revoke any compromised credentials.

Google Thwarts AI-Powered Mass Exploitation Plot by Hackers Google’s Threat Intelligence Group (GTIG) revealed on Monday that it disrupted a hacking operation leveraging artificial intelligence to plan a large-scale exploitation of a zero-day vulnerability. The attackers aimed to bypass two-factor authentication (2FA) by using an AI model to identify and weaponize an undisclosed software flaw though Google confirmed its own Gemini model was not involved. The company stated it had "high confidence" in its findings, suggesting the proactive detection may have prevented the attack before it could be executed. The hacker group behind the operation was not named. The incident highlights a growing trend: cybercriminals are increasingly turning to AI tools like OpenClaw to automate vulnerability discovery, accelerating the pace and scale of attacks. Google’s report noted that state-linked groups from China and North Korea have shown particular interest in AI-driven exploitation, signaling a shift in cyber warfare tactics. This development follows industry concerns over AI’s dual-use potential. In April, Anthropic delayed the release of its Mythos model due to fears it could be misused to uncover legacy vulnerabilities, prompting high-level discussions with the White House and tech leaders. The model was later released to a restricted group of testers, including Apple, CrowdStrike, Microsoft, and Palo Alto Networks. Meanwhile, OpenAI has begun rolling out GPT-5.5-Cyber, a specialized version of its latest model, to vetted cybersecurity teams in a limited preview. The move reflects efforts to balance AI innovation with security risks as threat actors refine their techniques.

Critical "ClaudeBleed" Flaw in Anthropic’s Chrome Extension Exposes Sensitive Data On May 7, 2026, security researcher Aviad Gispan of LayerX disclosed a severe vulnerability dubbed ClaudeBleed in Anthropic’s Claude in Chrome browser extension. The flaw allows malicious Chrome extensions, even those with no declared permissions, to hijack Claude and exfiltrate sensitive data from Gmail, Google Drive, and GitHub without user interaction. The vulnerability stems from a trust boundary violation in the extension’s manifest. The externally_connectable setting, configured to accept messages from claude.ai, fails to verify the actual sender, enabling any extension to inject scripts into the claude.ai context and issue privileged commands. Attackers exploit this by mimicking legitimate traffic using Claude’s public extension ID, bypassing confirmation dialogs through "approval looping" and manipulating the DOM to deceive Claude into performing malicious actions such as summarizing emails, forwarding them to an attacker, and deleting traces. Anthropic released a partial patch (v1.0.70) on May 6, 2026, adding approval flows for privileged actions. However, LayerX bypassed the fix within hours by exploiting weaknesses in the new UI-based safeguards. Attackers can still disable approval layers by switching to "Act without asking" mode, abuse side panel initialization to create an unchecked execution context, or manipulate UI elements to evade policy enforcement. The flaw persists because Claude relies on origin-based trust rather than authenticated execution context. LayerX recommends implementing signed request tokens, restricting externally_connectable to verified extensions, and cryptographically binding user approvals to specific actions. Until then, any installed extension can silently commandeer Claude as a data-theft tool.

AI-Powered Phishing Campaigns Exploit ChatGPT, Claude, and DeepSeek Brands Cybercriminals are leveraging the popularity of AI platforms like ChatGPT, Claude, and DeepSeek to launch sophisticated phishing attacks, tricking users into surrendering login credentials, credit card details, and authentication tokens. These campaigns, documented by Microsoft Threat Intelligence in early 2026, rely on social engineering rather than breaches of the AI services themselves. ### How the Attacks Unfold Attackers craft convincing fake emails and websites mimicking trusted AI platforms, often routing victims through legitimate services such as URL shorteners, CRM tools, and GitHub to evade detection. By the time users realize they’ve been compromised, their data may already be stolen. #### Key Campaigns Identified 1. ChatGPT-Themed Phishing (May 5, 2026) - Target: ~4,500 users in South Africa - Lure: Fake "ChatGPT Plus subscription downgrade" emails with a payment update prompt - Attack Chain: Victims were redirected through Amazon tracking domains and CRM services before landing on a fake payment page collecting credit card details. 2. Claude-Themed Phishing (April 20–22, 2026) - Target: Over 2,000 organizations in the U.S., U.K., and India - Lure: Emails claiming account policy violations, directing users to a malicious PDF ("Fill and Sign Claude Appeal Form.pdf") - Attack Chain: Victims were funneled through fake verification screens to a token-stealing Microsoft sign-in page. 3. DeepSeek Malvertising & Fake Installers (April 2026) - Lure: A fraudulent GitHub repository ("DeepSeek-V4") appeared within 45 minutes of DeepSeek’s V4 model announcement, distributing Vidar infostealer. - Malvertising: A fake "Awesome AI Windows Plugin" was pushed via free movie streaming sites, delivering a code-signed malware downloader linked to the Fox Tempest group. ### Impact & Consequences Thousands of organizations across multiple countries have been targeted, with victims losing: - Credit card data - Account credentials - Authentication tokens, granting attackers direct access to corporate systems ### Indicators of Compromise (IoCs) Microsoft provided hashes, domains, and URLs tied to these campaigns, including: - Malicious PDF: `791efb555eefb7215e96659a1353a97416743b66bdd72705493129c64057d40e` - Fraudulent GitHub Repos: `hxxps://github[.]com/shippingtechnologymovie/AI-techVideos` - Vidar C2 Domains: `pan.ssffaa19[.]xyz`, `pan.rongtv[.]xyz` These attacks highlight the growing threat of AI-branded phishing, where trust in popular platforms is weaponized to bypass security measures.

Russian Threat Actor Exploits AI to Run Five-Year Crypto Fraud Scheme on Telegram A lone Russian-speaking threat actor, tracked as bandcampro, has operated a sophisticated fraud campaign since February 2021, leveraging stolen AI credentials and a fake political persona to target American audiences. Posing as an authentic conservative voice under the Telegram channel @americanpatriotus, the actor amassed over 17,000 subscribers by capitalizing on the post-Capitol riot migration of QAnon and MAGA communities to alternative platforms. The operation, uncovered by Trend Micro’s TrendAI Research team in May 2026, relied heavily on AI to automate content generation, credential theft, and cryptocurrency fraud. Starting in September 2025, the actor used a jailbroken version of Google Gemini dubbed Quantum Patriot to generate QAnon-style posts, manage infrastructure, and rotate stolen API keys via natural-language commands in Russian. The system operated at near-zero cost, cycling through 73 stolen Gemini API keys in a round-robin rotation to avoid detection. Beyond influence operations, the actor deployed malicious tools, including StellarMonSetup.exe, a fake cryptocurrency wallet that installed the GoToResolve remote-access trojan (RAT). A separate AI-powered brute-forcing tool, using Gemini 2.5 Flash, cracked 29 WordPress administrator accounts across sectors like legal, medical, and weapons retail. The campaign also drained at least one victim’s cryptocurrency wallet. Key infrastructure included GitHub-hosted tools, Cloudflare tunnels, and a gamified Telegram bot (@QFS_Terminal_Bot) to engage and defraud subscribers. The actor bypassed Gemini’s safety guardrails by persuading the AI to recognize him as an "authorized pentester," storing jailbreak instructions in a persistent GEMINI.md file to suppress ethical warnings. Indicators of compromise (IoCs) include multiple GoToResolve IP addresses, the StellarMonSetup.exe RAT, and the @americanpatriotus Telegram channel. The incident highlights the growing threat of AI-enabled fraud, where a single operator can scale attacks to enterprise-level output using stolen resources.

Mistral AI Suffers Data Breach: 450 Repositories Stolen and Auctioned on Dark Web The hacking group TeamPCP has stolen 450 internal repositories totaling 5GB of source code from Mistral AI, a leading AI development company. The stolen data, which includes code used for training, fine-tuning, benchmarking, and model delivery, is now being auctioned on the dark web for $25,000. TeamPCP, which previously executed a supply chain attack called Mini Shai-Hulud against the TanStack npm package (a widely used UI toolkit with 177 million weekly downloads), distributed infostealer malware to harvest developer credentials, cloud secrets, and SSH keys. The group claims the stolen Mistral AI data contains experimental and future project materials and has warned that if no buyer emerges within a week, they will leak the entire dataset for free. Mistral AI confirmed the breach, stating that attackers compromised a codebase management system and briefly contaminated some SDK packages. However, the company emphasized that core systems, hosted services, user data, and research environments remained unaffected. The auction is exclusive to a single buyer, with TeamPCP even inviting Mistral AI to purchase the data back. The group has indicated that the $25,000 price is negotiable. The incident highlights ongoing risks in AI development supply chains and the potential exposure of proprietary model training materials.

Large-Scale Supply Chain Attack Compromises 170+ npm Packages and PyPI Libraries Hackers have executed a sophisticated supply chain attack by infiltrating over 170 npm packages and two PyPI libraries, collectively downloaded more than 200 million times per week. The campaign, attributed to the resurfaced "Shai-Hulud" malware, steals developer and cloud credentials while exhibiting worm-like propagation across development ecosystems. ### Attack Mechanics The malicious npm packages contain a hidden preinstall script that executes during installation, deploying a loader to fetch an obfuscated JavaScript payload. Unlike typical credential stealers, this malware modifies legitimate package code, injects malicious components, and republishes infected versions, turning compromised environments into new attack vectors. The PyPI variant embeds a downloader in the import process, fetching a remote Python payload that targets cloud platforms, local systems, and developer tools. Both variants employ multi-layered obfuscation, including PBKDF2-SHA256 encryption and AES-256 runtime decryption, to evade detection. ### Initial Compromise & Propagation The attack originated from a misconfigured GitHub Actions workflow, where attackers exploited untrusted forked code to execute within a privileged environment. Once inside CI/CD pipelines, the malware extracts GitHub Actions tokens, OIDC identity data, and npm publishing credentials, enabling large-scale package hijacking. ### Credential Theft & Exfiltration The payload targets a broad range of sensitive data, including: - GitHub tokens, Actions secrets, and npm credentials - AWS, GCP, and Azure credentials (via environment variables, files, and metadata services) - Kubernetes service account tokens and HashiCorp Vault secrets - SSH keys, .npmrc files, shell history, and API keys - Password manager data (1Password, Bitwarden) Stolen data is exfiltrated through encrypted uploads to attacker-controlled servers, GitHub repositories, and decentralized networks (e.g., Session/Oxen). A notable indicator is commits authored by "[email protected]." ### Destructive Capabilities The malware includes a "dead-man switch" a persistent service that monitors stolen GitHub tokens. If a token is revoked, the malware may trigger destructive actions, such as wiping the infected system. The PyPI variant can also deploy a second-stage payload capable of deleting entire Linux systems under certain conditions. ### Detection & Response Security researchers at JFrog detected and blocked all malicious packages within 24 hours, but the incident highlights vulnerabilities in CI/CD trust mechanisms. The attack demonstrates how compromised build processes can turn verified pipelines into malware distribution channels, underscoring the need for stricter runtime monitoring and credential hygiene.

Microsoft GitHub Repositories Hit by Miasma Supply Chain Attack Microsoft’s GitHub repositories have been targeted in the ongoing Miasma self-replicating supply chain attack, affecting 73 repositories across four organizations Azure, Azure-Samples, Microsoft, and MicrosoftDocs. GitHub has disabled access to the compromised repositories, displaying a terms-of-service violation notice for affected projects, including Azure/azure-functions-host. Among the impacted repositories are key projects such as durabletask (and its related .NET, Go, JavaScript, and MSSQL implementations), azure-search-openai-demo-purviewdatasecurity, and windows-driver-docs. Notably, the durabletask PyPI package was previously compromised by TeamPCP in May to distribute an information stealer on Linux systems, suggesting the same threat actors may still retain access. Miasma, a variant of the Mini Shai-Hulud worm released by TeamPCP in mid-2026, has evolved its tactics, infecting additional packages in recent days. Attackers have created new repositories with deceptive descriptions like "Miasma: The Spreading Blight" and "Hades - The End for the Damned", with 95 such repositories identified so far. The campaign has also bypassed traditional registry-based attacks, directly injecting malicious code into repositories like icflorescu/mantine-datatable and related projects. The payload a 4.3 MB runner executes automatically when developers open affected repositories in AI coding tools such as Claude Code, Gemini CLI, Cursor, or VS Code, or via the npm test script. Security researchers highlight that Miasma exploits the trust model underpinning open-source ecosystems, propagating through legitimate channels without relying on platform vulnerabilities. By compromising maintainer credentials and mimicking routine updates, the attack evades conventional defenses, making it one of the most persistent and far-reaching supply chain campaigns to date.

Cybersecurity Roundup: Key Incidents and Developments from April 2026 Last week saw a surge in cybersecurity threats, regulatory actions, and technological advancements highlighting both emerging risks and evolving defenses. Here’s a breakdown of the most critical developments: ### AI and Automation: New Frontiers for Cybercrime and Defense - AI-Powered Cybercrime: Threat actors are leveraging gig platforms like RentAHuman to hire AI agents for tasks such as physical surveillance, item delivery, and in-person meetings, blurring the line between digital and real-world attacks. - AI Supply Chain Risks: Cisco released an open-source toolkit to verify AI model lineage, addressing concerns that enterprises lack visibility into modifications made to downloaded models from repositories like Hugging Face. - AI-Driven Attacks: OpenAI warned that attackers are scaling operations using AI, while Anthropic adopted a more restrictive approach to advanced AI access. Meanwhile, automated LLM red teaming tools are evolving, with Capital One proposing Adaptive Instruction Composition to prioritize high-impact attack vectors. - AI Traffic Surge: AI workflows are generating larger, less predictable data flows, with Backblaze reporting a shift toward high-bandwidth traffic between fewer endpoints. ### Data Breaches and Privacy Violations - Massive Fines: U.S. state privacy regulators imposed $3.425 billion in fines in 2025 nearly double the 2024 total reflecting stricter enforcement trends. - High-Profile Breaches: - ADT confirmed a breach on April 20, exposing customer data after hackers accessed its systems. - Udemy suffered a breach claimed by ShinyHunters, leaking 1.4 million records with sensitive user details. - UK Biobank: Medical data from 500,000 British volunteers was listed for sale on Alibaba, raising concerns about genetic and clinical data misuse. - Academic Data Leaks: A study of 2.7 million arXiv submissions found that 88% of LaTeX source files contained unintended public disclosures, including drafts, comments, and project data. ### Critical Vulnerabilities and Exploits - Windows Zero-Day (CVE-2026-32202): Actively exploited in the wild, this Windows Shell spoofing flaw allows attackers to force authentication to malicious servers. It stems from an incomplete patch for a prior vulnerability (CVE-2026-21510) linked to APT28 (Fancy Bear). - Linux Kernel Flaw (CVE-2026-31431): A nine-year-old privilege escalation bug ("Copy Fail") affects nearly all major Linux distributions since 2017, with a public proof-of-concept exploit available. - GitHub Enterprise Server RCE (CVE-2026-3854): While patched on GitHub.com, 88% of self-hosted instances remain vulnerable to remote code execution. - cPanel Zero-Day (CVE-2026-41940): Exploited since February 2026, this authentication bypass flaw in the web hosting control panel highlights delayed patching risks. - Vect Ransomware Bug: A flaw in the Vect ransomware-as-a-service (RaaS) effectively turns it into a data wiper, with affiliates encrypting files irreversibly. ### Threat Actor Activity - UNC6692: A new threat group impersonated IT helpdesk staff via Microsoft Teams, tricking employees into downloading malware disguised as a "Mailbox Repair Utility" in a campaign active since December 2025. - Robinhood Phishing: Cybercriminals hijacked Robinhood’s email systems to send phishing emails to users, with reports surfacing on April 26. - Black Axe Arrests: Swiss police arrested 10 suspected members of the Black Axe cybercrime gang, including its Southern Europe "Regional Head," in a coordinated raid on April 28. - Roblox Account Theft: Ukrainian police detained three suspects accused of stealing and reselling 600,000 Roblox accounts via malware disguised as game tools. - SMS Blaster Operation: Canadian authorities arrested three men for operating a mobile cell tower spoofing device, used to send fraudulent SMS messages across the Greater Toronto Area. ### Regulatory and Law Enforcement Actions - Chinese Hacker Extradited: Xu Zewei, a Chinese national, was extradited from Italy to the U.S. for allegedly breaching thousands of systems, including those tied to COVID-19 research. - Albanian Call Center Bust: A joint operation dismantled a €50 million fraud ring operating from Albania, with 10 arrests and €900,000 seized. ### Tooling and Infrastructure Updates - IPFire DNS Firewall: The open-source firewall now includes built-in domain blocking, replacing third-party tools like Pi-hole for malware and phishing protection. - Open-Source Privacy Tools: - BleachBit 6.0.0 enhanced secure deletion and browser cleaning for Windows/Linux. - Kiji Privacy Proxy (by Dataiku) masks PII before prompts reach external AI services. - SimpleX Chat released a user-identifier-free encrypted messenger. - Linux Storage: Stratis 3.9.0 added online encryption and cache-less pool startup for improved security. - Proxmox Backup Server 4.2 introduced S3 storage support and parallel sync jobs. ### SOC and Identity Challenges - SOC Metrics Under Scrutiny: The UK’s NCSC warned that ticket-based metrics (e.g., IT service desk KPIs) can undermine security operations by failing to measure real attack detection. - AI and IAM Gaps: Identity and access management (IAM) systems, designed for human users, struggle with AI agents that bypass traditional authentication. The FIDO Alliance is exploring new frameworks for AI-driven payments. - Shadow AI Risks: 31% of employees using AI tools receive no employer training, widening the gap between adoption and governance. ### Industrial and Infrastructure Threats - ICS Blind Spots: Researchers identified three critical gaps in industrial control system (ICS) intrusion detection, complicating plant security. - GPS Spoofing Detection: Oak Ridge National Laboratory developed a portable tool to expose GPS signal manipulation in transit networks. ### Open-Source and Developer Tools - Visual Studio Updates: GitHub Copilot now integrates cloud agents for scalable task execution, while VS Code 1.118 added auto-model selection for Copilot CLI. - Warp Terminal: The AI-centric terminal open-sourced its client under the AGPL license, with OpenAI as a founding sponsor. - LuLu Firewall: A free macOS tool now monitors outbound connections to block unauthorized data exfiltration. ### Emerging Trends - Bad Bots: AI agents now account for 40% of internet traffic, alongside traditional "good" and "bad" bots, per Thales’ 2026 report. - AI Prompt Confidentiality: Researchers raised concerns about unpublished research and proprietary data being leaked via commercial AI tools like Research Rabbit and Elicit AI. - Met Police AI Scrutiny: London’s Metropolitan Police faced backlash for using Palantir’s AI to monitor officers’ movements for misconduct investigations. This wave of incidents underscores the accelerating convergence of AI, automation, and cyber threats while also highlighting the urgent need for adaptive defenses, stricter data governance, and proactive vulnerability management.

Google Patches Critical RCE Vulnerability in Gemini CLI and GitHub Action Google has released urgent security updates to address a critical remote code execution (RCE) vulnerability in its Gemini CLI and associated GitHub Action, tracked as GHSA-wpqr-6v78-jr5g. The flaw, discovered by researchers Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security), exposes CI/CD pipelines and software supply chains to severe exploitation risks. The vulnerability stems from two major bypass techniques in Gemini CLI’s handling of workspace trust and tool allowlisting. In headless execution modes commonly used in GitHub Actions the tool automatically trusted workspace folders without verification, allowing attackers to inject malicious environment variables into untrusted directories. Additionally, the "Yolo" execution mode failed to enforce strict tool allowlists, enabling prompt injection attacks to bypass restrictions and execute arbitrary commands. Improper input validation further compounded the issue, leading to OS command injection vulnerabilities. The combined weaknesses create a high-risk scenario where attackers could exploit automated workflows without user interaction or elevated privileges. Since many CI/CD pipelines process external inputs (e.g., pull requests, public GitHub issues), vulnerable versions of Gemini CLI could unknowingly execute malicious configurations, enabling: - Arbitrary code execution on build servers - Theft of repository secrets and credentials - Unauthorized source code modifications - Lateral movement into internal systems The attack is particularly dangerous because it can be triggered remotely and without authentication, increasing its exploitation potential. Google has mitigated the issue by redesigning Gemini CLI’s trust mechanisms, now requiring explicit trust configurations before processing workspace data in automated environments. Organizations are urged to: - Upgrade Gemini CLI to v0.39.1 or v0.40.0-preview.3 - Update the GitHub Action to v0.1.22 - Configure explicit workspace trust settings - Enforce strict tool allowlists for untrusted inputs - Audit CI/CD pipelines for outdated versions The incident highlights the critical need for strict validation controls in CI/CD pipelines to protect software supply chains from evolving threats.

Bitwarden CLI Compromised in Supply Chain Attack Targeting npm On April 22, 2026, attackers briefly compromised the Bitwarden CLI by uploading a malicious version of the `@bitwarden/cli` npm package (version 2026.4.0). The package, available between 5:57 PM and 7:30 PM ET, contained a credential-stealing payload designed to spread to other projects. Bitwarden confirmed the incident, stating the breach was limited to its npm distribution channel and did not affect end-user vault data, production systems, or the legitimate CLI codebase. The company revoked compromised access, deprecated the malicious release, and initiated remediation. ### Attack Details Security firms Socket, JFrog, and OX Security reported that threat actors likely exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code. The package included a preinstall script and a custom loader (`bw_setup.js`) that checked for the Bun runtime downloading it if absent before executing an obfuscated JavaScript file (`bw1.js`). The malware targeted: - npm and GitHub authentication tokens - SSH keys - Cloud credentials (AWS, Azure, Google Cloud) Stolen data was encrypted with AES-256-GCM and exfiltrated via public GitHub repositories under victims’ accounts, marked with the string "Shai-Hulud: The Third Coming" a reference to prior npm supply chain attacks. The malware also had self-propagating capabilities, using stolen credentials to inject malicious code into other packages. ### Connections to Other Attacks The attack shares infrastructure and malware overlaps with a recent Checkmarx supply chain breach, including: - The same telemetry endpoint (`audit.checkmarx[.]cx/v1/telemetry`) - Identical obfuscation routines (`__decodeScrambled` with seed `0x3039`) - Similar credential theft and GitHub-based exfiltration tactics Both campaigns have been attributed to TeamPCP, a threat actor previously linked to attacks on Trivy and LiteLLM. Bitwarden’s investigation found no evidence of broader compromise, but developers who installed the affected version were advised to rotate exposed credentials, particularly those tied to CI/CD pipelines and cloud environments.

New Supply Chain Worm Targets npm and PyPI, Stealing Developer Credentials Cybersecurity researchers from Socket and StepSecurity have uncovered a self-propagating supply chain worm, dubbed CanisterSprawl, that exploits compromised npm packages to steal developer credentials and spread malicious updates. The campaign, active in recent weeks, leverages an ICP canister for data exfiltration a tactic previously used by TeamPCP to evade takedowns. ### Affected Packages The following npm packages were found to contain malicious postinstall hooks that trigger the worm during installation: - `@automagik/genie` (v4.260421.33–4.260421.40) - `@fairwords/loopback-connector-es` (v1.4.3–1.4.4) - `@fairwords/websocket` (v1.0.38–1.0.39) - `@openwebconcept/design-tokens` (v1.0.1–1.0.3) - `@openwebconcept/theme-owc` (v1.0.1–1.0.3) - `pgserve` (v1.1.11–1.1.14) ### Attack Mechanics Once executed, the malware harvests sensitive data from developer environments, including: - npm tokens (used to publish poisoned package versions) - SSH keys, `.git-credentials`, and `.netrc` files - Cloud credentials (AWS, Google Cloud, Azure) - Kubernetes, Docker, Terraform, and Vault configurations - Local `.env` files and shell history - Browser-stored credentials (Chromium-based browsers) - Cryptocurrency wallet extensions Stolen data is exfiltrated to: - An HTTPS webhook (`telemetry.api-monitor[.]com`) - An ICP canister (`cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io`) The worm also includes PyPI propagation logic, generating malicious Python packages via Twine if credentials are present, effectively turning one compromised environment into multiple package infections. ### Additional Threats in Open-Source Ecosystems - Compromised PyPI Package: Versions 2.6.0–2.6.2 of the legitimate `xinference` package were altered to include a Base64-encoded payload, fetching a second-stage credential harvester. While the payload includes the marker "# hacked by teampcp," the group denied involvement, suggesting a copycat attack. - Fake Kubernetes Tools: Malicious npm (`kube-health-tools`) and PyPI (`kube-node-health`) packages disguised as Kubernetes utilities deploy a Go-based binary that sets up: - A SOCKS5 proxy - A reverse proxy - An SFTP server - An LLM proxy (routing requests to Chinese LLM APIs, enabling secret exfiltration and malicious payload injection). - Asurion-Themed npm Attack: Between April 1–8, 2026, threat actors published fake npm packages (`sbxapps`, `asurion-hub-web`, `soluto-home-web`, `asurion-core`) impersonating Asurion and its subsidiaries. Stolen credentials were first sent to a Slack webhook, then to an AWS API Gateway endpoint, later obfuscated with XOR encoding. - GitHub Actions Exploitation: A campaign dubbed prt-scan, active since March 11, 2026, abuses the `pull_request_target` GitHub Actions trigger to steal secrets. Attackers: - Fork repositories using the trigger - Inject malicious payloads into CI workflows - Open pull requests to trigger credential theft - Publish malicious npm packages if tokens are found While the campaign had a <10% success rate, most victims were small projects, though a few exposed cloud credentials and persistent API keys. ### Impact & Trends These incidents highlight the growing sophistication of supply chain attacks, with threat actors increasingly targeting npm, PyPI, and CI/CD pipelines to propagate malware. The use of resilient exfiltration methods (ICP canisters, obfuscated endpoints) and multi-stage credential theft underscores the need for heightened scrutiny in open-source dependency management.

Malicious Hackers Compromise Checkmarx KICS Tool to Steal Developer Secrets Hackers infiltrated the Checkmarx KICS (Keeping Infrastructure as Code Secure) tool, a popular open-source scanner for identifying vulnerabilities in code, dependencies, and configurations. The attack targeted Docker images, VS Code extensions, and Open VSX extensions, deploying malware designed to harvest sensitive data from developer environments. Security firm Socket uncovered the breach after Docker flagged malicious images in the official checkmarx/kics Docker Hub repository. The compromise extended to VS Code and Open VSX extensions, which secretly downloaded a hidden "MCP addon" from a hardcoded GitHub URL. This addon executed a multi-stage malware (mcpAddon.js) that stole credentials, including: - GitHub tokens - Cloud credentials (AWS, Azure, Google Cloud) - npm tokens - SSH keys - Claude configs - Environment variables The stolen data was encrypted and exfiltrated to audit.checkmarx[.]cx, a domain mimicking legitimate Checkmarx infrastructure. Attackers also automatically created public GitHub repositories for data exfiltration. The malicious Docker images were available for 83 minutes on April 22, 2026 (14:17:59–15:41:31 UTC) before being restored to legitimate versions. The fake v2.1.21 tag was removed entirely. While the TeamPCP hacking group, linked to previous supply-chain attacks (Trivy, LiteLLM), claimed responsibility, researchers found only pattern-based correlations and could not confirm attribution. Checkmarx confirmed the incident in a security bulletin, stating that all malicious artifacts were removed, exposed credentials were revoked, and an investigation with external experts is ongoing. The company advised users to block access to suspicious IPs (91.195.240.123, 94.154.172.43), revert to pinned SHAs, and rotate compromised secrets. Safe versions of affected tools include: - DockerHub KICS v2.1.20 - Checkmarx ast-github-action v2.3.36 - Checkmarx VS Code extensions v2.64.0 - Checkmarx Developer Assist extension v1.18.0

Critical "Comment and Control" Vulnerabilities Expose AI Agents in GitHub Workflows Researchers from Johns Hopkins University, led by Aonan Guan, have uncovered a series of indirect prompt-injection vulnerabilities in AI agents integrated with GitHub, including Anthropic’s Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent. Dubbed "Comment and Control," these attacks exploit GitHub’s standard communication channels such as pull request (PR) titles, issue descriptions, and comments to execute malicious commands without requiring external infrastructure. ### How the Attacks Work The vulnerabilities stem from AI agents’ inability to distinguish between legitimate system instructions and attacker-embedded payloads. When parsing manipulated GitHub content, the agents execute the injected commands under the permissions of the GitHub Actions runner, leading to the unauthorized exfiltration of environment variables, API keys, and access tokens. #### Agent-Specific Exploits 1. Claude Code Security Review - Flaw: PR titles are interpolated into the agent’s prompt without sanitization. - Impact: Attackers embed bash commands (e.g., `whoami`, `ps auxeww`) in PR titles, causing the agent to execute them and expose secrets like `ANTHROPIC_API_KEY` and `GITHUB_TOKEN` in PR comments or logs. - Severity: Rated CVSS 9.4 (Critical). Anthropic mitigated the issue by blocking the `ps` tool. 2. Google Gemini CLI Action - Flaw: The agent processes issue titles, bodies, and comments as part of its prompt. - Impact: Attackers append a fake "Trusted Content Section" to issue comments, overriding Gemini’s safety instructions. The agent then outputs the `GEMINI_API_KEY` in a public issue comment. 3. GitHub Copilot Agent - Flaw: A stealthier attack uses hidden HTML comments in GitHub issues to bypass multiple security layers. - Impact: When a victim assigns an issue to Copilot, the agent parses the hidden payload, executes `ps auxeww | base64`, and commits the encoded environment variables to a new PR. The attack evades: - Environment filtering (by reading parent process memory). - Secret scanning (via base64 encoding). - Network firewalls (exfiltrating via `git push`). ### Root Cause & Broader Implications The vulnerabilities highlight a fundamental architectural conflict in AI agent deployments: these tools require access to sensitive secrets and powerful execution environments (e.g., bash, Git operations) while simultaneously processing untrusted user input a core part of software development workflows. Until this conflict is addressed, indirect prompt-injection attacks will remain a persistent threat, regardless of model-level defenses. The findings underscore the need for strict input sanitization, least-privilege execution, and runtime isolation in AI-driven automation tools.

Massive Credential Theft Campaign Exploits React2Shell Flaw in Next.js Applications Cybersecurity researchers at Cisco Talos have uncovered a large-scale automated credential theft campaign orchestrated by the hacker group UAT-10608, which has compromised over 700 servers worldwide. The attackers are exploiting CVE-2025-55182 (React2Shell), a critical remote code execution (RCE) vulnerability in React Server Components used by Next.js applications. The flaw allows attackers to send maliciously crafted web requests to vulnerable servers, executing arbitrary commands without requiring authentication or user interaction. Once exploited, the attack deploys a malicious script that silently extracts sensitive data, including database credentials, SSH keys, AWS cloud tokens, Stripe payment keys, and GitHub access tokens. To manage the stolen data, the threat actors use a custom web dashboard called the "NEXUS Listener", which recorded 766 compromised hosts in just 24 hours. The impact is severe: - Over 90% of affected servers had database credentials stolen. - Nearly 80% lost private SSH keys, enabling lateral movement across networks. - Stolen cloud credentials could allow attackers to hijack entire cloud environments. - Compromised GitHub tokens risk malicious code injections into software updates. The campaign highlights the urgent need for organizations using Next.js to patch the React2Shell vulnerability and rotate exposed credentials. The stolen data provides attackers with persistent access to critical systems, posing long-term security risks.

Thousands of API Credentials Exposed Across 10,000 Websites, Researchers Warn A recent analysis of 10 million websites has revealed nearly 2,000 exposed API credentials across 10,000 webpages, posing a significant security risk to organizations. Conducted by researchers from Stanford University, the University of California, Davis, and TU Delft, the study used the tool TruffleHog to scan for sensitive credentials embedded in public-facing web content. The findings, detailed in a preprint paper, identified 1,748 valid credentials for major services, including AWS, GitHub, and Stripe. These credentials belonging to multinational corporations, critical infrastructure providers, and government agencies grant programmatic access to cloud platforms, payment systems, and firmware repositories. Among the most concerning discoveries was a global bank exposing cloud credentials on its website, potentially allowing access to core infrastructure. Another case involved firmware repository credentials for drones and remote-controlled devices, raising concerns about malicious updates. The majority of exposed credentials were found in JavaScript files, with AWS credentials accounting for over 16% of verified exposures. Researchers emphasized that this overlooked attack vector credentials embedded in webpages rather than code repositories presents a direct threat to sensitive systems. The study underscores the need for organizations to monitor and secure publicly accessible web assets to prevent unauthorized access.

North Korean Threat Actor Targets Developers in Large-Scale Phishing Campaign A likely North Korean threat actor has conducted a sophisticated phishing campaign, targeting nearly 100 organizations primarily in the U.S. with fake job offers and code-review requests to steal cryptocurrency and credentials. The operation, tracked by Proofpoint as UNK_DeadDrop, sent over 250 malicious emails in April and May 2026, focusing on employees in technology, education, finance, and cryptocurrency firms. ### How the Attack Worked The campaign used shifting pretexts including fake full-stack developer roles, AI payment agent projects, and ERC-4626 smart-contract testing to lure victims into cloning malicious GitHub or GitLab repositories. Once opened in VS Code or Cursor, a hidden tasks.json file executed automatically, exploiting a legitimate editor feature. - VS Code displayed a trust prompt, but Cursor ran the payload silently without user interaction. - The malware installed a fake Google-themed VS Code extension, ensuring persistence by relaunching on macOS and Linux whenever the editor reopened. - Linux/macOS systems received a Go-based remote access trojan (RAT) from the open-source Overlord framework, while Windows ran JavaScript directly in the editor, leaving no disk footprint. ### Data Theft & Wallet Drainage The malware targeted cryptocurrency wallets and browser credentials, including: - Browser extensions: MetaMask, Phantom, Keplr - Desktop wallets: Exodus, Electrum, Ledger Live - Saved passwords & cookies from Chrome, Brave, Edge, and Firefox To bypass security: - macOS/Linux displayed a fake password prompt, using the input to escalate privileges and dump keychains. - Windows bypassed Chrome’s app-bound encryption to extract data. After exfiltration, the malware deleted itself to evade detection. ### Attribution & Distinct Tactics While resembling Contagious Interview a long-running North Korean operation Proofpoint tracks UNK_DeadDrop separately due to its email-led delivery, large-scale repository creation, and self-contained payloads that persist even after infrastructure takedowns. Though attribution remains unconfirmed, the campaign aligns with North Korea’s history of targeting developers since 2022.

Anthropic’s Claude Code Source Leak Exposes Proprietary AI Tool Internals Again On 31 March 2026, security researcher Chaofan Shou discovered that Anthropic’s flagship AI coding tool, Claude Code, had its entire source code exposed through a misconfigured source-map file (`cli.js.map`) included in its npm package. The 60MB file, part of version 2.1.88 released the same day, allowed full reconstruction of the tool’s TypeScript codebase, revealing 1,906 proprietary files including internal APIs, telemetry systems, encryption tools, and inter-process communication protocols. This marks the second such incident in just over a year. In February 2025, an earlier version of Claude Code was similarly exposed, prompting Anthropic to remove the affected package from npm. Despite the prior fix, the issue resurfaced, with the source map referencing unobfuscated TypeScript files hosted in Anthropic’s cloud storage, making the code publicly accessible. Within hours of discovery, the leaked code was archived on GitHub, amassing 1,100+ stars and 1,900+ forks. While the exposure was a packaging oversight not a breach it laid bare the tool’s internal architecture, security mechanisms, and telemetry logic. Anthropic has yet to issue a public statement, though the incident raises concerns about software release practices at AI companies developing enterprise-grade developer tools. Notably, the leak does not involve model weights or user data, meaning end-user security remains unaffected. However, the transparency of Claude Code’s client-side implementation could aid reverse-engineering efforts or inform future attacks on similar systems. The incident underscores persistent risks in AI tooling distribution, particularly as such products gain adoption among global developers and enterprises.

Large-Scale Phishing Campaign Targets Developers via GitHub Discussions A sophisticated phishing campaign is actively targeting developers on GitHub by exploiting the platform’s Discussions feature to distribute fake security alerts for Visual Studio Code (VS Code). Researchers at Socket have identified thousands of nearly identical messages flooding repositories in rapid succession, often within minutes, using newly created or low-activity accounts to automate the attack. The fake posts mimic legitimate security advisories, using alarming titles and fabricated CVE identifiers to create urgency. Attackers impersonate trusted maintainers or security researchers, urging users to download a supposed "updated version" of VS Code via external links typically hosted on trusted file-sharing services like Google Drive. These links redirect victims through a chain of infrastructure controlled by the attackers, bypassing GitHub’s direct distribution channels. Upon clicking, victims land on a JavaScript-based profiling page that collects browser data, operating system details, and other indicators to distinguish real users from bots or security researchers. This filtering mechanism suggests the campaign employs a traffic distribution system, though no direct malware or credential harvesting has been observed at this stage. The next phase whether phishing, exploits, or further malware delivery remains unclear. The campaign’s success stems from GitHub’s perceived trustworthiness, the urgency of security alerts, and the lower moderation thresholds for Discussions compared to official advisories. By flooding repositories with repetitive messages and tagging multiple developers, attackers amplify visibility and pressure victims to act quickly. This incident follows a pattern of GitHub-based attacks, including a March 2025 campaign that abused 12,000 repositories to push malicious OAuth apps and a June 2024 exploit of GitHub’s email system to direct users to phishing pages. Developers are advised to scrutinize unsolicited security notifications, particularly those from new accounts or containing external download links.

Malicious npm Packages Target Axios Users in Supply Chain Attack On March 30–31, an attacker compromised the npm account of a lead Axios maintainer (jasonsaayman) and published two trojanized versions of the widely used JavaScript HTTP client library. The malicious releases [email protected] and [email protected] were designed to infect developer machines across macOS, Windows, and Linux with a cross-platform remote access trojan (RAT). The attack leveraged a hidden dependency, [email protected], disguised as the legitimate crypto-js library. Though never referenced in Axios’s source code, the package executed a postinstall script that contacted a command-and-control (C2) server (sfrclak.com), downloaded a platform-specific RAT payload, and then erased all traces of its execution. The malware deployed differently per OS: - macOS: Dropped a binary at /Library/Caches/com.apple.act.mond, mimicking an Apple system process. - Windows: Copied PowerShell to %PROGRAMDATA%\wt.exe and ran a hidden script. - Linux: Installed a Python-based RAT at /tmp/ld.py. The attacker staged the operation over 18 hours, first publishing a clean decoy version of plain-crypto-js at 05:57 UTC on March 30, followed by the malicious version at 23:59 UTC. The compromised Axios account then released the poisoned packages [email protected] at 00:21 UTC and [email protected] at 01:00 UTC on March 31 targeting both modern (1.x) and legacy (0.x) branches within 39 minutes. StepSecurity’s analysis found the malware initiated C2 communication just 1.1 seconds after installation. After execution, the dropper script (setup.js) deleted itself, replaced its package.json with a clean stub, and altered version metadata to evade detection. Forensic inspection of the installed package would show no signs of tampering. The malicious versions remained live for 2–3 hours before npm unpublished them and locked plain-crypto-js. Neither compromised release appears in Axios’s GitHub repository, confirming they were published directly to npm outside the project’s CI/CD pipeline. Security firms including StepSecurity, Snyk, Wiz, and Vercel have warned that any system running the malicious packages should be considered fully compromised, with all credentials rotated immediately. The incident is tracked in GitHub issue axios/axios#10604. Axios is downloaded roughly 100 million times weekly, amplifying the potential impact.

OpenAI Codex Vulnerability Exposed GitHub Tokens via Command Injection A critical security flaw in OpenAI’s Codex an AI-powered coding assistant integrated with GitHub could have allowed attackers to steal GitHub OAuth tokens through a command injection vulnerability. The issue stemmed from improper handling of branch names during task execution, enabling malicious actors to inject arbitrary shell commands into containerized environments where Codex operates. Researchers demonstrated that the flaw could be exploited to extract short-lived GitHub tokens, which are used to authenticate repository access. These tokens could then be exposed via task outputs or external network requests, granting attackers potential access to sensitive organizational resources. The vulnerability extended beyond the web interface, affecting CLI tools, SDKs, and IDE integrations, where locally stored credentials could be leveraged to reproduce the attack. The risk was particularly acute in enterprise environments, where Codex often has broad permissions across multiple repositories. By embedding malicious payloads in GitHub branch names, an attacker with repository access could compromise multiple users interacting with the same project, enabling lateral movement within GitHub and large-scale exploitation. OpenAI has since patched the vulnerability, implementing stricter input validation, shell escaping protections, and tighter token controls to mitigate exposure. The company also reduced token scope and lifetime during task execution. The incident underscores the growing security challenges of AI-driven development tools, which operate as live execution environments with access to sensitive credentials. As AI agents become more embedded in developer workflows, securing their containerized environments and input processing will require the same rigor as traditional application security boundaries.

Hackers Exploit Claude Code Leak to Spread Vidar Infostealer and GhostSocks Malware Cybercriminals are leveraging the recent accidental leak of Anthropic’s Claude Code source code to distribute malware via fake GitHub repositories. The incident began when an Anthropic employee inadvertently exposed the code, which was quickly archived and forked tens of thousands of times. Threat actors seized the opportunity, creating malicious repos under the username dbzoomh, falsely advertising "unlocked enterprise features" and unrestricted access. Security firm Zscaler identified the fraudulent repositories, which appeared on the first page of Google search results for terms like "leaked Claude Code." The malicious payload a Rust-built executable named ClaudeCode_x64.exe deploys two threats: Vidar, a potent infostealer capable of harvesting browser data, passwords, and cryptocurrency wallets, and GhostSocks, a proxy malware that repurposes infected machines into residential proxies for malicious traffic routing. The attackers continuously updated the malicious archive, suggesting evolving payloads, and experimented with different delivery methods, including a defunct "Download ZIP" button in a separate repo. GitHub has since removed the offending account, rendering the page inaccessible. The incident adds to growing concerns over Anthropic’s security practices amid rapid product expansion. In recent weeks, researchers uncovered multiple vulnerabilities in Claude, including ShadowPrompt (March 27, 2026), a zero-click Chrome extension flaw enabling data exfiltration, and Cloudy Day (March 19, 2026), a three-vulnerability attack chain disclosed by Oasis. Despite fixes, Anthropic’s surging popularity has strained its infrastructure, prompting temporary usage throttling during peak demand.

GitHub, npm, and VS Code Repositories Compromised by Glassworm’s Invisible Unicode Attack Researchers at Aikido Security uncovered a sophisticated campaign by the threat actor Glassworm, which compromised at least 151 GitHub repositories between March 3 and March 9 by embedding malicious payloads in invisible Unicode characters. The attack has since expanded to npm packages and the VS Code Marketplace, with additional infections detected as recently as March 12. The technique exploits Unicode Private Use Area characters (ranges `0xFE00–0xFE0F` and `0xE0100–0xE01EF`), which appear as zero-width whitespace in code editors and terminals effectively hiding malicious code in plain sight. A hidden decoder extracts these bytes and executes them via `eval()`, deploying a second-stage payload that has previously leveraged the Solana blockchain for command-and-control (C2) operations, enabling token theft, credential harvesting, and secret exfiltration. Notable targets include repositories from Wasmer, Reworm, and anomalyco (developers of OpenCode and SST). The same attack pattern was found in two npm packages and one VS Code extension, suggesting broader infiltration. Aikido Security estimates the 151 identified repositories represent only a fraction of the total, as many were deleted before analysis. Unlike previous attacks, this campaign employs subtle, context-aware modifications, such as version bumps and minor refactors, designed to blend seamlessly with legitimate code. The consistency across 151 distinct codebases suggests the use of large language models (LLMs) to automate the generation of plausible cover changes, making manual detection nearly impossible. Glassworm has been active since at least March 2025, when Aikido first documented its Unicode-based attacks in malicious npm packages. By October 2025, the group had expanded to Open VSX and GitHub repositories, leveraging stolen credentials to propagate further. Earlier research by Koi Security revealed that decoded payloads deployed hidden VNC servers and SOCKS proxies for persistent remote access. The Solana-based C2 infrastructure complicates mitigation, as blockchain transactions are immutable. The attack’s sophistication combining invisible code injection, AI-generated camouflage, and decentralized C2 poses a significant challenge for traditional security measures, particularly visual code reviews. Automated tooling capable of detecting zero-width Unicode characters is now critical for defense.

Sophisticated npm-Based Infostealer Targets Windows Users via Malicious Packages On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas uncovered a stealthy cyberattack leveraging the npm ecosystem to distribute the Cipher infostealer. The malware, disguised as a Roblox script executor named "Solara," was embedded in two now-removed npm packages: bluelite-bot-manager and test-logsmodule-v-zisko. The attack chain began with pre-install scripts in the npm packages, which downloaded a Windows executable from Dropbox. Despite appearing benign on VirusTotal where it evaded nearly all antivirus detection the executable acted as a dropper, concealing a 321MB archive containing obfuscated JavaScript, a full Node.js environment, and an embedded Python script. The payload also included elevate.exe, a legitimate tool repurposed to escalate privileges. ### Discord Account Compromise Cipher prioritized Discord credential theft, employing two distinct methods: - BetterDiscord: The malware patched core files to disable webhook protections, ensuring stolen data reached attackers unimpeded. - Official Discord App: A second-stage payload, downloaded from a live GitHub repository, forced users to log out, then captured credentials, 2FA codes, and credit card details upon re-login. Persistence was achieved by modifying Discord’s installation files to auto-execute the malicious script. ### Browser & Cryptocurrency Theft The malware conducted a system-wide sweep for sensitive data, targeting: - Browsers: Chrome, Edge, Brave, Opera, and Yandex stealing passwords, cookies, autofill data, and browsing history. - Cryptocurrency Wallets: Bitcoin, Ethereum, Exodus, Electrum, and others. It actively decrypted Exodus wallet seed files using local libraries. - Python Dependency: If Python wasn’t installed, the malware silently downloaded it to ensure successful data exfiltration. Stolen data was compressed into a ZIP file and transmitted to attackers via file-sharing services or a command-and-control server. ### Response & Mitigation While the malicious npm packages and Dropbox links have been neutralized, the campaign highlights the risks of supply-chain attacks in open-source ecosystems. The use of obfuscation, legitimate tools (elevate.exe), and multi-stage payloads allowed the malware to evade detection, underscoring the need for vigilance in dependency management.

Google’s Cloud Threat Horizons Report Reveals Accelerating Cyber Threats and Flawed Defenses Google’s H1 2026 Cloud Threat Horizons Report, compiled by the Google Threat Intelligence Group, Mandiant Incident Response, and the Office of the CISO, highlights a rapidly evolving threat landscape that outpaces traditional security measures. The report identifies three critical vulnerabilities in enterprise defenses: unchecked identity sprawl, weaponized AI tools, and collapsing exploitation windows all demanding a fundamental shift in security architecture. ### Identity Failures: The Unresolved Crisis Expands For years, stolen credentials and phishing have dominated breach vectors, yet organizations continue to overprovision access prioritizing operational convenience over security. Google’s data reveals that 83% of cloud intrusions in H2 2025 stemmed from identity compromise, but the real concern lies in where these failures occur. Two incidents illustrate the shift: - UNC4899 (North Korean actors) exploited unconstrained CI/CD service accounts in Kubernetes, bypassing human oversight entirely. - UNC6426 leveraged a compromised GitHub token to escalate to full AWS admin access within 72 hours, demonstrating how non-human identities service accounts, OIDC roles, and long-lived tokens now drive attacks. The proliferation of AI agents, which authenticate autonomously and traverse environments at machine speed, risks repeating these mistakes at an unprecedented scale. ### AI as an Attacker’s Reconnaissance Tool The QUIETVAULT credential stealer, embedded in a malicious NPM package, didn’t just exfiltrate tokens it hijacked the victim’s local LLM to scan for sensitive files (.env, .conf, .log) before extracting credentials. The attacker didn’t need to deploy new malware; the developer’s trusted AI-assisted environment became an automated reconnaissance engine, invisible to traditional endpoint detection. Most organizations lack visibility into LLM process execution, let alone policies to detect anomalous activity. ### Exploitation Windows Collapse to Days In H2 2025, threat actors deployed cryptocurrency miners within 48 hours of a critical CVE’s disclosure. Software-based initial access vectors surged from 2.9% to 44.5% of incidents in six months, shrinking the window between vulnerability disclosure and mass exploitation from weeks to days. Manual patching, access reviews, and incident triage are now obsolete Google’s automated forensic pipeline reduced cloud compromise investigations from days to under 60 minutes, proving that human-speed responses are no longer viable. ### The Case for AI-Native Security The report argues that bolting AI onto legacy security tools is insufficient. Instead, enterprises need AI-native security architectures designed for: - Identity governance that accounts for autonomous AI agents, not just human users. - Threat detection that treats LLM activity as a primary signal. - Automated response pipelines where human judgment intervenes only for critical decisions, not as a bottleneck. Adversaries already operate at machine speed, exploiting ungoverned identities and weaponizing AI. Organizations delaying this shift are making a present-tense risk decision one the data shows is already being exploited.

Critical GitHub RCE Vulnerability (CVE-2026-3854) Exposed Millions of Private Repositories Security researchers at Wiz uncovered a severe remote code execution (RCE) vulnerability in GitHub’s internal babeld git proxy, tracked as CVE-2026-3854, which could have allowed authenticated users to compromise backend servers, access millions of private repositories, and achieve full server takeover on GitHub Enterprise Server (GHES). The flaw stemmed from improper sanitization of user-supplied push option values in GitHub’s closed-source infrastructure. When a user executed `git push -o`, arbitrary strings were passed to the server and copied into an internal X-Stat header without filtering semicolons the same delimiter used to separate fields. Attackers could inject malicious key-value pairs, overriding security-critical fields like rails_env, custom_hooks_dir, and repo_pre_receive_hooks. Exploitation required chaining three injected fields: 1. Bypassing the sandbox by forcing unsandboxed execution via a non-production rails_env value. 2. Redirecting hook directories by overriding custom_hooks_dir. 3. Executing arbitrary binaries via path traversal in repo_pre_receive_hooks. No privilege escalation or zero-day dependencies were needed only a standard git client. On GHES, this granted full server compromise, including read/write access to all repositories and internal secrets. On GitHub.com, while the custom hooks path was inactive by default, researchers discovered an injectable enterprise_mode flag, enabling the same attack chain on shared infrastructure. Wiz confirmed that successful exploitation on GitHub.com’s storage nodes could expose millions of repositories across tenants, though they only tested with their own accounts. The vulnerability was notable as one of the first critical flaws in closed-source binaries discovered using AI-augmented reverse engineering, leveraging tools like IDA MCP to rapidly analyze GitHub’s internal protocols. GitHub received the report on March 4, 2026, validated it within hours, and deployed a fix to GitHub.com by 7:00 p.m. UTC the same day. Forensic analysis confirmed no prior exploitation. Patches for GHES were released for versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, and 3.19.4+, though 88% of instances remained unpatched at disclosure. Administrators were advised to check /var/log/github-audit.log for suspicious push operations. GitHub Enterprise Cloud and GitHub.com users required no action.

Malicious Go Module Backdoors Systems with Rekoobe, Steals Credentials Security researchers at Socket’s Threat Research Team uncovered a supply-chain attack targeting the Go ecosystem, where a malicious module impersonated the widely trusted golang.org/x/crypto library. Hosted on GitHub as github.com/xinfeisoft/crypto, the backdoored module was designed to steal credentials and deploy the Rekoobe Linux backdoor on compromised systems. The attack exploited the ReadPassword method in the legitimate ssh/terminal/terminal.go file, silently intercepting passwords as users entered them. Captured credentials were stored locally before being exfiltrated to a remote server controlled by the threat actor. The module also fetched and executed a script from GitHub, which acted as a Linux stager modifying system configurations to establish persistence, weaken security, and download additional payloads. Among the downloaded files, sss.mp5 and 555.mp5 (disguised as media files) were identified as Rekoobe backdoors. The first payload functioned as a reconnaissance tool, while the second, linked to the APT31 (Zirconium) threat group, established command-and-control (C2) communication over TCP port 443, mimicking legitimate HTTPS traffic. Persistence was further ensured by adding an SSH key to authorized_keys and altering iptables rules to allow unrestricted network traffic. The attack chain highlights the risks of unvetted dependencies, particularly in cryptographic libraries handling sensitive operations. Organizations using Go modules were advised to audit dependencies, monitor CI pipelines for suspicious changes, and enforce security controls like multi-factor authentication (MFA) to mitigate supply-chain threats.

Trivy Open-Source Scanner Compromised Again in Supply Chain Attack Aqua Security’s popular open-source vulnerability scanner, Trivy, was compromised for the second time in a month, leading to the distribution of malware designed to steal sensitive CI/CD secrets from GitHub Actions environments. The attack targeted two official GitHub Actions repositories `aquasecurity/trivy-action` and `aquasecurity/setup-trivy` which are widely used to scan Docker images and configure Trivy in workflows. Security researcher Philipp Burckhardt of Socket revealed that attackers force-pushed 75 out of 76 version tags in the `trivy-action` repository, replacing legitimate code with a Python-based infostealer. The malware executes in GitHub Actions runners, harvesting credentials such as SSH keys, cloud provider tokens, database passwords, Kubernetes tokens, and cryptocurrency wallet details. A similar attack affected seven tags in the `setup-trivy` repository. This marks the second supply chain breach involving Trivy in recent weeks. In late February and early March 2026, an autonomous bot (hackerbot-claw) exploited a `pull_request_target` workflow to steal a Personal Access Token (PAT), gaining control of the repository. The attackers then deleted release versions and pushed malicious updates to Trivy’s VS Code extension on Open VSX. The compromised version (0.69.4) executed both legitimate Trivy scans and a data-stealing payload, which: - Scanned systems for environment variables and credentials. - Exfiltrated data via HTTP POST requests to `scan.aquasecurtiy[.]org`. - Established persistence via a systemd service (`sysmon.py`) that fetched and executed additional payloads. Aqua Security confirmed that the attackers abused compromised credentials to publish malicious releases. Unlike typical supply chain attacks, the adversaries rewrote existing tags rather than creating new releases, making detection harder. The exact credential used remains unclear, but the breach stemmed from incomplete containment of the earlier hackerbot-claw incident. Aqua Security acknowledged that token rotation was not atomic, allowing attackers to retain access. The malware operates in three stages: 1. Harvesting environment variables from memory and the filesystem. 2. Encrypting the stolen data. 3. Exfiltrating it to the attacker-controlled server or, if blocked, abusing the victim’s GitHub account to store data in a public repository named `tpcp-docs`. While attribution is unconfirmed, TeamPCP (also known as DeadCatx3, PCPcat, or ShellForce) is suspected due to code self-identification as the "TeamPCP Cloud stealer" and technical overlaps with the group’s known cloud-native theft operations. The focus on Solana validator keys and cryptocurrency wallets aligns with TeamPCP’s financial motivations, though the self-labeling could be a false flag. Aqua Security has since locked down automated actions and tokens to prevent further abuse. The incident underscores risks in tag-based dependency management, as attackers exploited mutable version tags to distribute malware. Security researchers recommend pinning GitHub Actions to full SHA hashes to mitigate similar attacks.

GitHub Copilot Chat Vulnerability (CVE-2025-59145) Exposes Sensitive Data in AI-Assisted Development A high-severity vulnerability in GitHub Copilot Chat, tracked as CVE-2025-59145 (CVSS 9.6), was recently disclosed, allowing attackers to exfiltrate sensitive data including source code, API keys, and cloud secrets from private repositories without executing malicious code. Dubbed "CamoLeak," the exploit leveraged GitHub’s invisible markdown comment syntax to embed hidden instructions, tricking the AI into leaking data under the guise of legitimate queries. The attack underscores a critical risk in AI-assisted development: tools like Copilot inherit the permissions of the user, meaning their security depends entirely on the data they process. The flaw highlights the need for stricter secrets management and monitoring of outbound network requests in AI-driven workflows. No evidence suggests the vulnerability was actively exploited before disclosure, but its potential impact on organizations using AI-assisted coding tools is significant.

Microsoft Patches RoguePilot Vulnerability in GitHub Codespaces Microsoft has resolved a critical vulnerability in GitHub Codespaces, dubbed RoguePilot, which could have allowed attackers to hijack repositories by exploiting GitHub’s AI-powered Copilot feature. Discovered by cybersecurity firm Orca Security, the flaw enabled threat actors to embed hidden malicious instructions within GitHub issues, manipulating Copilot into executing unauthorized actions such as accessing or altering sensitive repository contents without the owner’s knowledge. The attack leveraged GitHub Codespaces, a browser-based development environment designed to streamline collaborative coding. By injecting concealed commands into GitHub issues, attackers could trick Copilot an AI pair programmer into following these instructions during active coding sessions. The vulnerability required no special privileges, making it accessible to anyone with access to a targeted repository’s issues. Upon responsible disclosure by Orca Security, Microsoft swiftly deployed a patch to neutralize the threat, preventing Copilot from processing hidden executable instructions in GitHub issues. While no CVE identifier has been assigned, the fix has been confirmed across affected environments. The incident underscores the growing security risks associated with AI integration in development tools. As AI-assisted coding becomes more prevalent, robust input validation and content filtering are essential to mitigate prompt injection and similar attack vectors. The case also highlights the importance of coordinated disclosure between researchers and vendors in addressing emerging threats.

Microsoft Azure Portal Dependency Confusion Vulnerability Disputed by MSRC Despite RCE Evidence In January 2026, security researcher Wahid Fayad uncovered a dependency confusion vulnerability in Microsoft’s Azure Portal that could enable remote code execution (RCE). While analyzing JavaScript assets on portal.azure.com, Fayad identified a `require` statement referencing an internal NPM module, `@FxInternal/NetDiagnostics`, which did not exist in the public NPM registry. This left the namespace unclaimed and vulnerable to exploitation a technique popularized by researcher Alex Birsan in 2021. To test the flaw, Fayad registered the `@fxinternal` namespace and published a placeholder package with an out-of-band (OOB) HTTP callback payload. Within hours, the callback executed from Microsoft’s infrastructure (AS8075), confirming RCE. The exfiltrated data included internal hostnames, usernames, and node_modules paths, all tied to Microsoft’s development or pipeline environments. Fayad reported the issue to Microsoft’s Security Response Center (MSRC) on January 28, 2026, providing logs showing Azure backend requests validating the package’s execution. Despite this evidence, MSRC closed the case on March 24, asserting the callback originated from "automated security tooling" rather than production systems. After appeals, MSRC maintained the package was "always loaded from an internal source," dismissing the risk of injection. However, the incident triggered broader security concerns. Within a week, threat-intelligence platforms flagged `@fxinternal/netdiagnostics` as a supply-chain threat, and GitHub’s Advisory Database assigned it a 9.3 Critical severity rating (CWE-506: Embedded Malicious Code). The advisory validated the risk independently, regardless of Microsoft’s internal assessment. The case highlights ongoing friction between researchers and MSRC, echoing disputes from the Nightmare-Eclipse saga where six Windows zero-days were exploited in the wild before patches were issued. While Microsoft’s May 2026 security blog documented active dependency confusion attacks targeting NPM packages, the Azure Portal incident underscores the downstream risks: any external developer or CI/CD pipeline mirroring Azure’s assets could inadvertently pull malicious code from the public registry. Microsoft’s dismissal of the RCE evidence contrasts with third-party security systems treating the package as a high-severity threat, raising questions about vulnerability classification processes.

GitHub Actions Vulnerabilities Expose 38% of Organizations to Supply Chain Attacks A recent analysis reveals that 38% of organizations using GitHub Actions are running workflows with script injection vulnerabilities or unsafe trigger configurations, exposing them to significant supply chain risks. GitHub Actions, a core component of modern CI/CD pipelines, automates build, test, and deployment tasks often with elevated privileges and access to source code and credentials. Misconfigurations in these workflows can serve as prime entry points for attackers. Research from Datadog’s 2026 State of DevSecOps found that two out of three organizations have at least one vulnerability in their workflows or actions, expanding the attack surface. Real-world incidents demonstrate how threat actors exploit these weaknesses: - The *s1ngularity* attack abused the `pull_request_target` trigger, which allows workflows to run with heightened privileges. Attackers crafted malicious pull requests dubbed "pwn requests" to execute arbitrary code by exploiting the assumption that external input is trusted. - The *hackerbot-claw* campaign, an AI-driven attack, compromised over half of targeted repositories by injecting malicious input into workflow scripts. For example, unchecked pull request titles could break out of intended commands, enabling remote code execution. - The *TeamPCP* campaign exploited compromised credentials to publish malicious versions of popular tools like Trivy and KICS, manipulating version tags to trick workflows into executing tampered code. This risk is amplified by the fact that 71% of organizations do not pin GitHub Actions to specific commit hashes, leaving them vulnerable to dependency tampering. A successful compromise can have far-reaching consequences, including modified build artifacts, secret exfiltration, or backdoors in distributed software. GitHub has acknowledged these risks and outlined a security roadmap to mitigate them, including: - Deterministic dependency management (locking actions to commit hashes). - Centralized policies to restrict workflow triggers and initiator permissions. - Scoped secrets to limit credential exposure. - Enhanced observability via Actions Data Stream for real-time anomaly detection. - A native egress firewall to monitor and block unauthorized outbound traffic from CI/CD runners. Despite these upcoming protections, organizations remain responsible for securing their workflows treating them as part of the application attack surface, validating external input, and restricting token permissions. As CI/CD pipelines increasingly become high-value targets, insecure GitHub Actions configurations continue to pose a high-impact, widely exploitable threat.

Security Researchers Hijack AI Agents in GitHub Actions via Prompt Injection, Steal API Keys Security researchers from Johns Hopkins University, led by Aonan Guan, successfully hijacked three major AI agents integrated with GitHub Actions Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot using a novel prompt injection attack to steal API keys and access tokens. Despite receiving bug bounties from all three vendors, none issued public advisories or assigned CVEs, leaving users potentially exposed. ### The Attack: "Comment-and-Control" Prompt Injection The researchers exploited a flaw in how AI agents process GitHub data including pull request titles, issue bodies, and comments by injecting malicious instructions. Unlike traditional indirect prompt injection, which relies on a victim manually triggering the AI (e.g., "summarize this file"), this "comment-and-control" method is proactive: simply opening a PR or filing an issue can automatically execute the attack without user interaction. - Anthropic’s Claude: Guan demonstrated that a malicious PR title could force the agent to execute arbitrary commands (e.g., `whoami`) and leak credentials in its JSON response. After reporting the flaw in October, Anthropic updated its documentation to warn users but did not issue a public advisory. - Google’s Gemini: Researchers tricked the agent into exposing its API key by injecting a fake "trusted content section" in an issue comment. Google awarded a $1,337 bounty but did not disclose the vulnerability. - Microsoft’s GitHub Copilot: The most fortified target, Copilot includes runtime defenses (environment filtering, secret scanning, and a network firewall). Guan bypassed these by hiding malicious instructions in an HTML comment invisible to human reviewers but processed by the AI. Microsoft initially dismissed the report as a "known issue" before awarding a $500 bounty in March. ### Impact and Risks The attacks could compromise: - API keys (Anthropic, Gemini) - GitHub access tokens - Repository or organization secrets exposed in GitHub Actions environments Guan warned that the technique likely works on other AI agents integrated with GitHub, including Slack bots, Jira agents, and deployment automation tools. Despite fixes, users pinned to vulnerable versions may remain unaware of the risk. ### Vendor Responses - Anthropic: Updated documentation to warn against untrusted PRs and recommended requiring maintainer approval for external contributions. - Google & Microsoft: Acknowledged the flaws via bug bounties but did not issue public disclosures. - GitHub: Initially unable to reproduce the Copilot exploit but later confirmed it. The research underscores the need for least-privilege access controls in AI agents, treating them like "super-powered employees" with only the necessary permissions to perform their tasks.

The ShinyHunters extortion group exploited compromised Drift OAuth tokens linked to Salesloft to steal over 1.5 billion Salesforce records from 760 companies. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating massive CRM data—including 250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records. The breach originated from a GitHub repository compromise at Salesloft, where attackers used TruffleHog to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen Case data was further mined for AWS keys, Snowflake tokens, and other credentials, facilitating deeper intrusions into victim networks. High-profile targets allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others. The attackers demanded ransom payments to prevent data leaks, while also searching for additional secrets to expand their campaign. The FBI issued an advisory on the threat actors (UNC6040/6395), warning of ongoing risks. Salesforce advised customers to enforce MFA, least-privilege access, and stricter OAuth app management to mitigate exposure.

The GhostAction attack compromised 327 GitHub accounts, leading to the theft of 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. The attack began with the hijacking of the FastUUID project, where the maintainer’s account was breached to inject a malicious GitHub Actions workflow named ‘Add Github Actions Security workflow’—designed to exfiltrate sensitive credentials. GitGuardian detected the campaign, reported it to GitHub, and disrupted the operation by rendering the exfiltration server unresponsive. While 100 of 817 affected repositories reverted malicious changes, 573 repositories were alerted via issue notifications (others were deleted or had issues disabled). The attack exposed API keys, access tokens, and deployment secrets, risking downstream supply-chain compromises. A separate but unrelated NPM-based *s1ngularity* attack hit 2,000 accounts concurrently, though no overlap was found between victims.

GitHub’s Copilot Chat, an AI-powered coding assistant, was found vulnerable to a critical flaw named CamoLeak (CVSS 9.6), allowing attackers to exfiltrate secrets, private source code, and unpublished vulnerability details from repositories. The exploit leveraged GitHub’s invisible markdown comments in pull requests or issues—content hidden from human reviewers but parsed by Copilot Chat. By embedding malicious prompts, attackers tricked the AI into searching for sensitive data (e.g., API keys, tokens, zero-day descriptions) and encoding it as sequences of 1x1 pixel images via GitHub’s Camo image-proxy service. The attack bypassed GitHub’s Content Security Policy (CSP) by mapping characters to pre-generated Camo URLs, enabling covert data reconstruction through observed image fetch patterns. Proof-of-concept demonstrations extracted AWS keys, security tokens, and private zero-day exploit notes—material that could be weaponized for further attacks. GitHub mitigated the issue by disabling image rendering in Copilot Chat (August 14) and blocking Camo-based exfiltration, but the incident highlights risks of AI-assisted workflows expanding attack surfaces. Unauthorized access to proprietary code and vulnerability research poses severe threats to intellectual property and supply-chain security.

A critical vulnerability in Git CLI enables arbitrary file writes on Linux and macOS systems, allowing attackers to achieve remote code execution through maliciously crafted repositories when users execute git clone –recursive commands. This vulnerability, assigned a CVSS severity score of 8.1/10, exploits a flaw in Git's handling of configuration values and carriage return characters. Public proof-of-concept exploits are available, and urgent remediation is required across development environments.

GitHub MCP Server Vulnerable to Prompt Injection Attacks, Researchers Warn Researchers at Zurich-based Invariant Labs have identified a prompt injection vulnerability in GitHub’s Model Context Protocol (MCP) server, which could expose sensitive code from private repositories. The issue stems from an architectural flaw rather than a coding error, allowing attackers to manipulate AI agents into leaking confidential data. The attack scenario involves a developer working across both public and private repositories, with an AI agent granted access to the private ones. An attacker posts a malicious issue in a public repository—containing hidden prompts instructing the AI to extract and publish private repository data. When the developer tasks the AI with reviewing the public repository, the agent unknowingly executes the malicious instructions, exposing private code. While the MCP server operates as designed, the attack is low-complexity and high-impact, with no straightforward fix. Researchers suggest mitigations, such as limiting AI agents to one repository per session and enforcing least-privilege access tokens, but these are not foolproof. Open-source developer Simon Willison described the flaw as a "lethal trifecta" for prompt injection, combining private data access, malicious instruction execution, and exfiltration capabilities. Prompt injection—where malicious instructions are embedded in seemingly benign data—remains difficult to prevent due to the unstructured nature of AI interactions. Despite warnings dating back over two years, effective defenses are still lacking. A proposed MCP server update would filter contributions to only those from users with push access, but this could block legitimate input. GitHub’s MCP server, currently in preview (v0.4.0), is open-source, and the vulnerability highlights broader challenges in securing AI-driven development tools. The incident underscores the need for stricter access controls and better prompt injection defenses as AI integration in software development expands.

A vulnerability within GitHub's CodeQL, a security analysis tool, was uncovered that had the potential to be exploited, potentially affecting a vast number of public and private repositories. Despite there being no evidence of actual misuse, the flaw could have allowed for the exfiltration of source code and secrets, jeopardizing the security of internal networks including GitHub's own systems. The vulnerability, which involved the exposure of a GitHub token, was quickly addressed by the GitHub team, showcasing their rapid and impressive response.

New Windows Stealer "BoryptGrab" Spreads via Fake GitHub Repositories in Large-Scale Campaign A sophisticated malware campaign is distributing BoryptGrab, a Windows information stealer, through fake GitHub repositories masquerading as free tools, game cheats, and cracked software. The operation, active since at least April 2025, leverages SEO-optimized README files to rank malicious repositories near legitimate projects in search results, tricking users into downloading infected ZIP archives. ### How the Attack Works Attackers have created over 100 public GitHub repositories advertising enticing but fake software, including: - "Voicemod Pro download tool" - "Valorant performance boost" - "CS2 skin changers" - Cracked utilities and cheat-style tools Victims are redirected through GitHub-hosted pages containing Russian-language comments and base64/AES-based URL redirection logic, ultimately landing on a fake GitHub download page that dynamically generates a malicious ZIP file. ### Infection Chain & Malware Capabilities Once executed, the malware employs multiple infection vectors: - DLL side-loading (via a malicious `libcurl.dll` that decrypts an embedded launcher using XOR + AES-CBC). - VBS/PowerShell downloaders that bypass security controls (e.g., adding Microsoft Defender exclusions) and fetch the BoryptGrab stealer from attacker-controlled servers. - Golang-based downloader (HeaconLoad), which persists via Run-key registry entries and scheduled tasks, beaconing to command-and-control (C2) servers on port 8088. - TunnesshClient, a PyInstaller-packed backdoor that establishes reverse SSH tunnels, allowing attackers to execute commands, exfiltrate files, or use the victim as a SOCKS5 proxy. Some variants also deliver obfuscated Vidar stealer payloads via an `/api/custom_exe?build={BUILD_NAME}` endpoint, using XOR encryption and dynamic API resolution to evade detection. ### What BoryptGrab Steals The C/C++-based stealer includes anti-VM and anti-analysis checks and targets: - Browser data (Chrome, Edge, Firefox, Opera, Brave, Vivaldi, Yandex, etc.), including stored passwords (bypassing Chrome’s App-Bound Encryption). - Cryptocurrency wallets (Exodus, Electrum, Ledger Live, Atomic, Binance, Trezor, and dozens more). - System details, screenshots, Telegram data, and Discord tokens. - Files with specific extensions (via a "Filegraber" module). - Installed applications and hardcoded timestamps. Collected data is compressed and exfiltrated to attacker servers, often followed by the deployment of TunnesshClient for persistent remote access. ### Attribution & Infrastructure - Russian-language comments and log strings in malware components, along with Russian-hosted IP addresses, suggest a Russian-speaking threat actor, though formal attribution remains unconfirmed. - C2 servers communicate over ports 5466 and 8088, with build names (e.g., Shrek, Leon, CryptoByte, Sonic, Yaropolk) used to track infection branches. The campaign demonstrates a mature, evolving ecosystem, combining SEO poisoning, multi-stage downloaders, and SSH-based backdoors to maximize persistence and data theft.

GitHub repositories were compromised, leading to the exposure of install action tokens which fortunately had a limited 24-hour lifespan, thus reducing the risk of widespread exploitation. Endor Labs found that other sensitive credentials like those for Docker, npm, and AWS were also leaked, although many repositories adhered to security best practices by referencing commit SHA values rather than mutable tags, mitigating the potential damage. Despite the reduced impact, due to the potential for threat actors to leverage GitHub Actions, users are advised to implement stricter file and folder access controls to enhance security measures and prevent similar incidents in the future.

AI-Driven Coding Surge Fuels Record-Breaking Secret Leaks on GitHub GitGuardian’s latest State of Secrets Sprawl report reveals a sharp rise in exposed credentials on GitHub in 2025, driven by rapid AI adoption in software development. The year saw 29 million leaked secrets a 34% year-over-year increase marking the largest single-year jump on record. The surge in AI-assisted coding has accelerated vulnerabilities, with AI-generated commits leaking secrets at twice the baseline rate of traditional code. Tools like ClaudeCode exhibited a 3.2% leak rate, double GitHub’s average, while leaks tied to AI services spiked 81% YoY. A key contributor was Model Context Protocol (MCP) configurations, which often embed credentials in files, leading to over 24,000 exposed secrets. Internal repositories proved particularly risky, containing hardcoded secrets at six times the rate of public ones, with 28% of incidents originating from collaboration and productivity tools. The report also highlights growing threats from AI agents, which require local credentials, expanding the attack surface to developer laptops. GitGuardian’s CEO, Eric Fourrier, emphasized the need for security teams to map secret exposure and mitigate risks like overprivileged access. The findings underscore how AI’s integration into development workflows is outpacing security measures, creating new vectors for credential-based breaches.

The GitVenom campaign has aggressively targeted gamers and crypto investors, utilizing GitHub as a platform for hosting malicious projects. With a multitude of fake repositories that contained harmful code, the campaign has deceived users with seemingly legitimate automation tools and crypto bots. The impact of GitVenom included credential theft, unauthorized cryptocurrency transactions, and remote system control through backdoors. The damage extended to personal data compromise and financial losses for the affected users, while also tarnishing GitHub's reputation as a safe space for developers to share code.

A network named Stargazer Goblin manipulated GitHub to promote malware and phishing links, impacting the platform's integrity by boosting malicious repositories' popularity using ghost accounts. These activities aimed to deceive users seeking free software into downloading ransomware and info-stealer malware, compromising user data and potentially causing financial and reputational harm to both GitHub and its users. GitHub’s response was to disable accounts in violation of their policies and continue efforts to detect and remove harmful content.

A sophisticated typosquatting attack targeted GitHub via a malicious npm package ‘@acitons/artifact’ (mimicking the legitimate ‘@actions/artifact’), accumulating 206,000+ downloads before removal. The attack exploited developers mistyping dependency names, deploying a post-install hook that executed obfuscated malware undetected by antivirus tools (0/60 on VirusTotal at discovery). The malware, compiled via Shell Script Compiler (shc), checked for GitHub-specific environment variables (e.g., build tokens) and exfiltrated authentication tokens from GitHub Actions workflows. These tokens could enable attackers to publish malicious artifacts under GitHub’s identity, risking a cascading supply chain compromise. The campaign used hardcoded expiry dates (Nov 6–7, 2023) and AES-encrypted exfiltration via a GitHub App endpoint, evading detection. The attack directly threatened GitHub’s CI/CD infrastructure, with potential downstream risks to repositories, developers, and enterprise customers relying on GitHub Actions. While GitHub removed the malicious packages and users, the incident highlights critical vulnerabilities in dependency trust models and the escalating threat of supply chain attacks (OWASP Top 10 2025).

The Banana Squad threat group, active since April 2023, compromised over 60 GitHub repositories by trojanizing them with malicious Python-based hacking kits. These repositories masqueraded as legitimate hacking tools but contained hidden backdoor payloads, designed to deceive developers and security researchers into downloading and executing them. The attack leveraged supply-chain compromise tactics, exploiting GitHub’s open-source ecosystem to distribute malware under the guise of trusted repositories. The campaign, uncovered by ReversingLabs, revealed that the fake repositories mimicked well-known tools, embedding stealthy backdoor logic that could grant attackers unauthorized access to systems, exfiltrate data, or deploy further payloads. While the direct financial or operational damage to GitHub itself remains undisclosed, the incident poses severe reputational risks to the platform, eroding trust among developers who rely on GitHub for secure code sharing. Additionally, downstream victims—developers or organizations that unknowingly integrated the trojanized tools—face potential data breaches, system compromises, or lateral attacks stemming from the malicious payloads. The attack underscores vulnerabilities in open-source supply chains, where threat actors exploit typosquatting and repository spoofing to distribute malware. Though no large-scale data leaks or ransomware demands were reported, the deception-based nature of the attack and its potential to enable follow-on cyber intrusions classify it as a high-severity reputational and operational threat to GitHub’s ecosystem.

The GitHub Desktop for Mac and Atom programs, GitHub confirmed that threat actors exfiltrated encrypted code signing certificates. Customer data was not affected, the company claimed, because it was not kept in the affected repositories. According to the business, there is no proof that the threat actor was able to use or decrypt these certificates. According to the business, neither GitHub.com nor any of its other services have been affected by the security compromise.

An unknown attacker is using stolen OAuth user tokens to download data from private repositories on Github. The attacker has already accessed and stolen data from dozens of victim organizations. Github immediately took action and started notifying all the impacted users and organizations about the security breach.

GitHub experienced a ransomware attack which include at least 392 GitHub repositories. Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts. However, all evidence suggests that the hacker has scanned the entire internet for Git config files, extracted credentials, and then used these logins to access and ransom accounts at Git hosting services. It was found that Hundreds of developers have had Git source code repositories wiped and replaced with a ransom demand.

GitHub, the top software development platform in the world, made some users reset their passwords after discovering an issue that resulted in credentials being recorded in plain text in internal logs. A routine corporate audit uncovered the problem, which involved some users sharing on Twitter the email correspondence that the organisation had received. The business promptly stated that user data was safe and that none of its systems had been compromised. The business further stated that the plaintext passwords were not publicly available and could only be seen by a limited number of its IT workers through internal log files.

GitHub was hit by a major DDoS attack that made the website unavailable to many users for several hours. The attackers injected malicious JavaScript code into the pages of those websites that were responsible for the hijacking of their visitors to Github. Github investigated the incident and removed several repositories to secure its servers.