Supply-Chain Worm Unnerves npm and GitHub

GitHub confirmed on May 20 that a malicious VS Code extension on an employee device allowed attackers to exfiltrate roughly 3,800 internal repositories, a claim echoed by threat group TeamPCP (tracked by Google as UNC6780) who is offering the code for sale. The incident is part of a broader Mini Shai-Hulud supply-chain campaign traced by Trend Micro, StepSecurity and Snyk that has hit multiple open-source tools and packages (npm, PyPI, Trivy, TanStack, Mistral AI). GitHub isolated the endpoint, removed the extension, and rotated high-impact secrets; the breach exposes infrastructure configuration, deployment scripts and API schemas rather than customer data. Security firms warn this wave highlights rapid exploitation of supply-chain and developer-tooling vectors, increasing risk to software supply chains and AI middleware.

Sergiu Gatlan / BleepingComputer : GitHub confirms breach of ~3,800 repositories after one of its employees installed a malicious VS Code extension; TeamPCP claimed responsibility for the hack — GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension.

GitHub confirmed an unauthorized access incident after an employee device was compromised by a malicious Visual Studio Code extension, leading to the exposure of roughly 3,800 internal repositories. The company detected and contained the incident, removed the poisoned extension, isolated affected endpoints, and began an investigation. GitHub said it rotated critical keys overnight, prioritized high-impact credentials, is validating logs and key rotations, and continues monitoring for follow-on activity. The breach appears limited to internal repositories so far; GitHub plans to take further actions as needed and will publish a fuller post-incident report once the investigation concludes. This matters for developer security and supply-chain trust in editor extensions.

Microsoft warned internally that GitHub faces an existential risk as AI coding tools from competitors—Cursor, Anthropic’s Claude Code, and OpenAI-related offerings—change how developers write, debug and collaborate, potentially reducing the need to continuously host code on GitHub. The Information reports Microsoft teams had been trialing multiple tools; a senior exec ordered consolidation onto GitHub Copilot CLI by end of June to standardize toolchains, align with repos and security workflows, and cut costs ahead of FY2027. Microsoft still preserves access to Anthropic models in some Copilot and Microsoft 365 features, and OpenAI has explored building an alternative platform, underscoring pressure on GitHub’s core hosting and service role.

Security researchers have identified a large npm supply-chain attack impacting 314 packages, with dozens flagged as malicious across popular libraries and plugins. Reports list compromised versions of Strapi plugins, litellm, telnyx, and others marked as high risk; some widely used packages (rails, vue) were scanned and deemed safe. The incident matters because compromised npm packages can execute malicious code in developer machines and CI/CD pipelines, spreading to production systems and AI tooling. Developers and security teams should immediately audit dependencies, lock or pin versions, review recent installs, and use supply-chain scanning tools to block or remove infected packages. Vendor advisories and further forensic details are expected as investigations continue.

Bill Toulas / BleepingComputer : Threat actors published 600+ malicious versions to npm as part of the Shai-Hulud supply chain campaign; most of the affected packages are in the @antv ecosystem — Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.

  submitted by   <a href="https://www.reddit.com/user/PM-ME-UR-DARKNESS"> /u/PM-ME-UR-DARKNESS </a> <br/> <span><a href="https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/">[link]</a></span>   <span><a href="https://www.reddit.com/r/programming/comments/1thze09/cisa_accidentally_leaked_their_own_keys_on_github/">[comments]</a></span>

Security researcher Brian Krebs reports that a public GitHub repository named “Private-CISA” contained plaintext passwords, SSH private keys, tokens and other sensitive CISA assets exposed since at least November 2025. The repo was flagged by GitGuardian and its founder Guillaume Valadon, who says the repository owner did not respond and commit logs indicate GitHub’s default secret-scanning protections had been disabled. The leak points to severe operational security failures at the Cybersecurity and Infrastructure Security Agency (CISA), risking credential theft, system compromise and erosion of trust in a U.S. federal cybersecurity agency. The exposure underscores the need for stronger secret management, automated detection and strict governance for critical infrastructure teams.

Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mistakenly published sensitive cryptographic keys and digital credentials in a public GitHub repository, exposing internal assets. Security researchers and commenters flagged the leak as severe, noting exposed keys can enable impersonation, code signing abuse, and lateral network access. CISA removed the files after the exposure was reported, but the incident underscores operational security lapses at a high-profile federal cybersecurity agency and raises concerns about credential management, secrets scanning, and supply-chain risk. The episode matters because it weakens trust in a national cyber-defender, may require credential revocation and audits, and highlights the need for stricter developer workflows and automated secret-detection tooling across government and industry.

Security researchers at SafeDep disclosed on May 19, 2026 that the npm account atool was breached and used to publish 637 malicious releases across 317 packages in a 22-minute burst. The payload is a 498KB obfuscated Bun script matching the Mini Shai-Hulud toolkit seen in a recent SAP supply-chain attack; it harvests an extensive range of credentials (AWS, GitHub PATs, npm tokens, Kubernetes service accounts, Vault, SSH keys, etc.), attempts container escape, and exfiltrates data by committing Git objects to public GitHub repos. The malware achieves persistence via systemd/LaunchAgent, GitHub Actions workflow injection, VS Code tasks, and AI-agent hooks (Claude Code, Codex), abuses OIDC to mint npm publish tokens, and even signs artifacts through Sigstore using stolen identities. The scale, automated propagation via preinstall hooks and optionalDependencies, and the ability to forge provenance make this a major supply-chain and CI/CD threat to the JavaScript ecosystem.

A maintainer account for the npm scope atool was compromised and an attacker published 631 malicious releases across 314 packages in about 22 minutes, including popular modules like @antv, echarts-for-react, size-sensor and timeago.js. The injected code aims to exfiltrate credentials and secrets—AWS keys, GitHub tokens, npm credentials, SSH keys, DB strings, Docker/Kubernetes tokens—and can escape containers if the Docker socket is exposed to gain privileged host access. This supply-chain incident underscores the risks of compromised maintainer accounts and the need for strict package signing, multi-factor authentication, secret scanning, container hardening, and rapid incident response to protect downstream projects and production systems.

Bitwarden has made several low-profile leadership and messaging changes, according to an opinionated report citing public profiles and site edits. Fast Company reported that longtime CEO Michael Crandell shifted to an advisory role in February 2026, with Michael Sullivan—formerly CEO of Acquia and Insightsoftware—taking over. The article notes Sullivan highlights mergers-and-acquisitions and private-equity experience, including Acquia’s $1 billion Vista Equity Partners deal (2019) and a $1 billion Hg investment in Insightsoftware (2021). CFO Stephen Morrison reportedly left in April, replaced by former InVision CEO Michael Shenkman, while founder Kyle Spearrin remains CTO. Separately, the “Always free” language disappeared from Bitwarden’s personal plan page in mid-April, and the company’s GRIT values were revised after May 4, removing “Inclusion” and “Transparency.”

Four supply-chain incidents over 50 days hit OpenAI, Anthropic, Meta and major open-source ecosystems, revealing a shared blind spot: release pipelines and CI/CD trust hooks. A worm (Mini Shai-Hulud) pushed 84 malicious npm versions in six minutes by exploiting GitHub Actions misconfigurations and OIDC token extraction, producing valid SLSA provenance despite being malicious. OpenAI had two developer devices compromised and is revoking macOS certificates; Anthropic accidentally published a huge source map exposing agent orchestration and system prompts; LiteLLM was poisoned on PyPI and led to Mercor data exfiltration affecting Meta and others; and Codex had a command-injection flaw via branch names. The incidents show model-focused red teams miss pipeline, packaging, and dependency attack surfaces that can compromise AI supply chains.

A developer experimenting with moving CI off GitHub Actions to avoid vendor lock-in and platform degradation is prototyping Tekton, a Kubernetes-native CI/CD operator. The author wants to run pipelines on spare homelab compute to make workflows vendor-neutral and resilient to “enshittification,” noting Tekton concepts (Task, TaskRun, Pipeline, PipelineRun) map to Actions primitives. They cite Tack as a bridge for Tangled/Nix integrations and describe practical issues encountered—PVC permissions, repo cloning, Go test caching, and Kaniko Docker build VCS errors—while adapting GitHub-dependent actions to Tekton. This matters because adopting Kubernetes-based CI can decouple projects from GitHub-specific features, enabling portable, self-hosted pipelines.

A popular Node.js package, node-ipc, was poisoned with credential-stealing malware in three newly published npm versions (9.1.6, 9.2.3, 12.0.1). Security researchers say the attacker likely compromised an inactive maintainer account and injected heavily obfuscated CommonJS code that runs automatically when the package is loaded, harvesting environment variables, cloud provider credentials (AWS, Azure, GCP, OCI, DigitalOcean), SSH keys, container/Kubernetes/Terraform tokens, .env and other local secrets. Stolen data is tarred and exfiltrated via DNS TXT queries to evade detection. The malware avoids large files, .git and node_modules, leaves no persistence, and appears designed for rapid data theft across developer machines, CI systems, and servers, risking wide supply-chain impact given node-ipc’s high download volume.

A major supply-chain attack on the npm registry compromised millions of apps and exposed billions of user records after a malicious actor took over an abandoned JavaScript package and injected harmful code into builds. Developers across the Node.js ecosystem described the incident as unavoidable, criticizing deep dependency trees, unvetted pseudonymous maintainers, and npm’s permissive install-time scripts. Observers contrasted this with ecosystems like Go and Rust, which reported no similar breaches thanks to stronger standard libraries and built-in cryptographic verification. The breach highlights systemic risks in JavaScript dependency management and renews calls for registry policies, build sandboxes, and stricter package vetting to protect production systems and cloud credentials.