Loading...
Loading...
A coordinated surge of supply‑chain attacks has infected npm packages, VS Code extensions and GitHub CI workflows, allowing attackers to exfiltrate credentials, cloud tokens and internal source code. Campaigns like Mini Shai‑Hulud and Megalodon rapidly published hundreds of malicious npm releases and injected backdoored GitHub Actions into thousands of repos, while trojanized VS Code extensions enabled breaches of roughly 3,800 GitHub internal repositories. Researchers tie activity to prolific groups (TeamPCP/UNC6780) exploiting weak maintainer account security, developer endpoints, and CI trust models. The wave exposes systemic risks across developer tooling, prompting urgent calls for staged publishing, stricter CI governance, package signing, secret scanning, and hardened developer workflows.
The worm shows that developer tooling, packages, and editor extensions can be leveraged to breach orgs and exfiltrate secrets end-to-end. Tech teams must reassess trust boundaries, CI/workflow permissions, and dependency hygiene to prevent widespread compromise.
Dossier last updated: 2026-05-21 19:21:36
A widely used JavaScript template package, art-template, was confirmed as the latest victim of a supply-chain attack on the npm ecosystem, where attackers have controlled the repository since 2025 and injected unauthorized remote JavaScript (including calls to Baidu Analytics). Developers and sysadmins raced to assess exposure across projects that pull dependencies via npm, which the article argues is the dominant vector for such incidents. Users quoted describe a sense of helplessness and point to weak maintainer account security as a root cause; the breach underscores ongoing risks in package-manager distributed dependencies and the need for stronger supply-chain practices. Upstream art-template documentation has been published with details.
On May 18, 2026, a campaign dubbed Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens and source code artifacts to a C2 at 216.126.225.129:8443. The attacker used throwaway accounts and forged identities (build-bot, auto-ci, ci-bot, pipeline-bot) and deployed two variants: a mass SysDiag workflow that triggers on push and pull_request_target, and a targeted Optimize-Build variant that replaces workflows and exposes a workflow_dispatch backdoor. The campaign also propagated via the npm package @tiledesk/tiledesk-server (v2.18.6–2.18.12). This matters because CI workflow compromise allows large-scale credential theft and cloud identity impersonation, threatening downstream supply chains and cloud environments.
GitHub is facing a crisis inside Microsoft after a wave of outages, a remote code execution vulnerability, and a supply-chain compromise that exposed internal repos, coinciding with leadership upheaval and a continuing talent exodus. After CEO Thomas Dohmke’s departure last summer, Microsoft folded GitHub under its CoreAI group led by Jay Parikh, who opted not to install a new GitHub CEO; that shift and poor internal morale reportedly accelerated departures and defections to startups like Entire. Competitive pressure is rising too: rivals such as Cursor and Anthropic’s Claude Code have narrowed GitHub Copilot’s lead, prompting Microsoft to reconsider acquisitions and reallocate developer resources to improve Copilot. The situation matters because GitHub’s stability, security, and ability to retain engineering talent are critical to the broader developer ecosystem and Microsoft’s AI tooling strategy.
Security researchers uncovered an automated campaign that injected malicious CI workflow commits into thousands of GitHub repositories: over 5,700 poisoned commits across 5,561 repos in about six hours. Attackers used throwaway accounts and forged commit authors (e.g., build-bot, auto-ci, ci-bot, pipeline-bot) with innocuous messages like "ci: add build optimization step" to insert backdoored GitHub Actions steps. The change could enable supply-chain compromise by running attacker-controlled code in downstream builds or leaking secrets. The campaign highlights risks in trusting external pull requests and the need for stricter CI governance, code-review policies, and repository protection to prevent automated backdoor propagation through developer tooling.
Runtime, a YC-backed startup (P26) founded by Gus and Carlos, launched an infra product that provisions sandboxed coding-agent environments so entire teams — including non-engineers — can use models like Claude Code, Codex, Copilot, Gemini and Devin safely. Engineering defines context, skills, and scoped integrations once; Runtime snapshots full running environments (Docker Compose, Kafka, Redis, seeded DBs) and orchestrates sandboxes across providers (E2B, Daytona, EC2, or self-hosted K8s). Secrets are proxied, and infra-level guardrails (command allow/deny, egress controls, RBAC) limit risk. Integrations include Slack, GitHub, PagerDuty, and Linear. Core is open source on GitHub, with a hosted SaaS offering and customers already in fintech and YC scaleups. This matters because it lowers the barrier to deploying agentic workflows while reducing security and operational friction.
GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Code extension (Sergiu Gatlan/BleepingComputer)
Sergiu Gatlan / BleepingComputer : GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Code extension — GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension …
GitHub disclosed that a developer’s VSCode extension was ‘poisoned’ in a supply-chain attack by a prolific hacker group called TeamPCP, which claims to have accessed roughly 4,000 GitHub repositories and advertised the company’s source code for sale. Security firms say TeamPCP has run at least 20 attack “waves” in recent months, tainting over 500 distinct open-source projects and compromising hundreds of downstream organizations, including AI company Anthropic and data firm Mercor. The group’s playbook inserts malware into widely used developer tools to harvest credentials, push malicious package versions, and then scale further—creating a self-reinforcing cycle of supply-chain compromise. The spree underscores growing systemic risk to software development ecosystems and the need for stronger supply-chain defenses.
GitHub confirmed that about 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the malicious extension was removed and the compromised endpoint isolated during ongoing incident response. GitHub says the activity appears limited to internal repositories and there’s no current evidence of exposed customer data outside those repos. The cybercrime group TeamPCP claimed responsibility and is offering the purportedly stolen code for sale, and has been linked to prior supply-chain attacks targeting developer platforms. The incident highlights persistent risks from malicious editor extensions and supply-chain vectors that can expose sensitive corporate source code and developer credentials.
Staged publishing for npm packages
GitHub confirmed a breach via a malicious VS Code extension that compromised an employee device and exfiltrated internal repositories — roughly consistent with the attacker’s claim of ~3,800 repos. The incident highlights a wider, ongoing supply-chain campaign by groups like TeamPCP/UNC6780 that has targeted developer tooling (Trivy, Checkmarx, LiteLLM, Bitwarden CLI, PyTorch Lightning) and npm accounts, pushing malicious packages that harvest tokens, keys, and secrets. The article warns that developer endpoints — laptops running trusted third-party binaries, extensions, and local AI agents — are high‑privilege, under-monitored perimeters; compromising their supply chain bypasses platform controls and can pivot into cloud and production environments. The piece calls for reassessing trust models around local developer tooling and tighter controls on agent/extension distribution and credentials.
GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized Visual Studio Code extension. The company removed the malicious extension from the VS Code Marketplace, isolated the compromised endpoint, and began incident response; it says the activity appears limited to GitHub-internal repositories and has found no evidence of customer data exposure so far. The TeamPCP hacker group claimed responsibility on a cybercrime forum, offering the stolen data for at least $50,000; TeamPCP has been linked to previous supply-chain attacks affecting developer platforms. The incident highlights risks from malicious editor extensions and the wider supply-chain threat to developer tools and code hosts.
&#32; submitted by &#32; <a href="https://www.reddit.com/user/creasta29"> /u/creasta29 </a> <br/> <span><a href="https://neciudan.dev/github-actions-poisoning">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/programming/comments/1tivw33/httpsneciudandevgithubactionspoisoning/">[comments]</a></span>
GitHub says about 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the malicious plugin has been removed and the compromised device isolated. The company believes exfiltration was limited to internal repositories and sees no evidence so far of broader customer data exposure. The TeamPCP hacker group has claimed responsibility and is trying to sell roughly 4,000 repos, citing past supply-chain campaigns that hit developer platforms including PyPI, npm and Docker. The incident underscores risks from malicious IDE extensions and supply-chain attacks across developer tooling, especially given GitHub's central role for millions of developers and organizations.
GitHub confirmed on May 20 that a malicious VS Code extension on an employee device allowed attackers to exfiltrate roughly 3,800 internal repositories, a claim echoed by threat group TeamPCP (tracked by Google as UNC6780) who is offering the code for sale. The incident is part of a broader Mini Shai-Hulud supply-chain campaign traced by Trend Micro, StepSecurity and Snyk that has hit multiple open-source tools and packages (npm, PyPI, Trivy, TanStack, Mistral AI). GitHub isolated the endpoint, removed the extension, and rotated high-impact secrets; the breach exposes infrastructure configuration, deployment scripts and API schemas rather than customer data. Security firms warn this wave highlights rapid exploitation of supply-chain and developer-tooling vectors, increasing risk to software supply chains and AI middleware.
Sergiu Gatlan / BleepingComputer : GitHub confirms breach of ~3,800 repositories after one of its employees installed a malicious VS Code extension; TeamPCP claimed responsibility for the hack — GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension.
GitHub confirmed an unauthorized access incident after an employee device was compromised by a malicious Visual Studio Code extension, leading to the exposure of roughly 3,800 internal repositories. The company detected and contained the incident, removed the poisoned extension, isolated affected endpoints, and began an investigation. GitHub said it rotated critical keys overnight, prioritized high-impact credentials, is validating logs and key rotations, and continues monitoring for follow-on activity. The breach appears limited to internal repositories so far; GitHub plans to take further actions as needed and will publish a fuller post-incident report once the investigation concludes. This matters for developer security and supply-chain trust in editor extensions.
Microsoft warned internally that GitHub faces an existential risk as AI coding tools from competitors—Cursor, Anthropic’s Claude Code, and OpenAI-related offerings—change how developers write, debug and collaborate, potentially reducing the need to continuously host code on GitHub. The Information reports Microsoft teams had been trialing multiple tools; a senior exec ordered consolidation onto GitHub Copilot CLI by end of June to standardize toolchains, align with repos and security workflows, and cut costs ahead of FY2027. Microsoft still preserves access to Anthropic models in some Copilot and Microsoft 365 features, and OpenAI has explored building an alternative platform, underscoring pressure on GitHub’s core hosting and service role.
Security researchers have identified a large npm supply-chain attack impacting 314 packages, with dozens flagged as malicious across popular libraries and plugins. Reports list compromised versions of Strapi plugins, litellm, telnyx, and others marked as high risk; some widely used packages (rails, vue) were scanned and deemed safe. The incident matters because compromised npm packages can execute malicious code in developer machines and CI/CD pipelines, spreading to production systems and AI tooling. Developers and security teams should immediately audit dependencies, lock or pin versions, review recent installs, and use supply-chain scanning tools to block or remove infected packages. Vendor advisories and further forensic details are expected as investigations continue.
Bill Toulas / BleepingComputer : Threat actors published 600+ malicious versions to npm as part of the Shai-Hulud supply chain campaign; most of the affected packages are in the @antv ecosystem — Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.