top of page
ALL POSTS
Miasma Worm Supply Chain Attack Compromises 73 Microsoft GitHub Repositories
Key Findings A self-replicating worm called Miasma compromised 73 Microsoft GitHub repositories across Azure infrastructure and core .NET, Go, Java, JavaScript, and Python frameworks GitHub staff disabled affected repositories after attackers injected malicious workflows that harvested OIDC tokens and developer credentials The attack exploited AI coding tools as an automatic execution mechanism, triggering malware when developers cloned infected repos and opened them in IDEs
Jun 93 min read
Critical Miasma Worm Campaign Targets Microsoft and Red Hat in Expanding Supply Chain Attack Wave
Key Findings Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable access Attack represents re-compromise of previously infected "durabletask" PyPI package, suggesting threat actors maintained persistent access for over a month Miasma operates as self-replicating malware variant of Mini Shai-Hulud worm, exploiting the trust model of package registries rather than technical vulne
Jun 64 min read
Megalodon Supply Chain Attack Compromises 5,561 GitHub Repositories in Six-Hour Blitz
Key Findings 5,718 malicious commits pushed to 5,561 GitHub repositories within a six-hour window on May 18, 2026 Attackers used forged identities (build-bot, auto-ci, ci-bot, pipeline-bot) and throwaway GitHub accounts to hide their tracks Malicious GitHub Actions workflows embedded base64-encoded bash payloads designed to exfiltrate sensitive credentials and secrets Two attack variants identified: SysDiag (broad reach, triggers on every push/pull request) and Optimize-Build
May 222 min read
GitHub's 3,800 Internal Repositories Compromised Through Malicious VS Code Extension
Key Findings GitHub's internal repositories were compromised after an employee device was infected with a malicious Visual Studio Code extension Approximately 3,800 internal repositories were exfiltrated in the attack TeamPCP, a financially motivated hacking group, claimed responsibility and is selling the stolen data for around $95,000 GitHub confirmed it detected, contained and isolated the breach; no customer data outside internal repositories was affected Critical credent
May 202 min read
CVE-2026-3854: Critical GitHub Remote Code Execution Vulnerability Discovered
Key Findings Critical vulnerability CVE-2026-3854 allows remote code execution on GitHub through a single git push command Affects GitHub Enterprise Cloud, GitHub Enterprise Server, and related variants Command injection flaw exploitable by any user with repository push access Vulnerability chain enables attackers to bypass sandbox protections and execute arbitrary commands as the git service user Wiz researchers discovered the flaw on March 4, 2026; GitHub patched within two
Apr 282 min read
GitHub CVE-2026-3854: Critical RCE Vulnerability Triggered by Single Git Push
Key Findings Critical command injection vulnerability (CVE-2026-3854, CVSS 8.7) allows authenticated users to achieve remote code execution via a single git push command Affects GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server across multiple versions Flaw stems from unsanitized user-supplied git push options being embedded in internal service headers without proper delimiter handling Exploitation chain allows attackers to bypass sandbox protections, redirect
Apr 283 min read
TeamPCP Hijacks Bitwarden CLI, Exploits Dependabot to Distribute Shai-Hulud Malware
Key Findings TeamPCP compromised the widely-used @bitwarden/cli npm package on April 20, 2026, targeting developers who rely on Bitwarden for credential management The attack leveraged Dependabot, GitHub's trusted automation bot, to pull a trojanized Checkmarx KICS Docker image and execute malware with CI privileges Shai-Hulud malware uses GitHub itself as a fallback command and control server when primary infrastructure is blocked, making it unusually resilient The worm inje
Apr 252 min read
North Korean Cyber Espionage Campaign Exploits GitHub to Target South Korean Enterprises
Key Findings North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024 Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems The malware evades detection by checking for secur
Apr 43 min read
GlassWorm Attack Exploits Stolen GitHub Tokens to Infiltrate Python Repositories
Key Findings * GlassWorm malware campaign targeting Python repositories * Attackers use stolen GitHub tokens to force-push malicious code * Targets Python projects including Django apps, ML code, and PyPI packages * Earliest injections traced to March 8, 2026 * Uses a new offshoot called "ForceMemo" * Leverages malicious VS Code and Cursor extensions to steal credentials * Payload includes cryptocurrency theft and data exfiltration capabilities Background The GlassWorm attack
Mar 162 min read
AI Bot Hackerbot-Claw Hits GitHub Repos of Microsoft, DataDog, and CNCF
Key Points Hackerbot-Claw, a new AI-powered threat, executed a 37-hour campaign targeting major GitHub repositories, including those of Microsoft and DataDog. The attacks focused on exploiting CI/CD pipelines, allowing the AI agent to manipulate developer tools within minutes. The campaign resulted in the deletion of 97 software releases and 32,000 stars from Aqua Security's Trivy project. Hackerbot-Claw employed social engineering tactics to trick developer assistants like C
Mar 102 min read
Microsoft Patch Tuesday Updates for February 2026
Key Findings Microsoft released security updates to address 58 new vulnerabilities across Windows, Office, Azure, Edge, Exchange, Hyper-V, and other components. The update includes fixes for 6 zero-day vulnerabilities that are being actively exploited in the wild. 5 of the vulnerabilities were rated as "Critical" by Microsoft. Several vulnerabilities affect high-profile targets like GitHub Copilot, IDEs, and Azure cloud services. Background This month's Patch Tuesday from Mic
Feb 101 min read
North Korean Hackers Exploit Developers' Trust in Visual Studio Code
Key Findings North Korean threat actors associated with the "Contagious Interview" campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The attack involves instructing targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment. The malicious VS Code task configuration files are used to execute payloads, incl
Jan 212 min read
PyStoreRAT Malware Spreading Across GitHub
Key Findings A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. The malicious repositories, often themed as development utilities or OSINT tools, contain code responsible for silently downloading and executing a remote HTA file. PyStoreRAT is a modular, multi-stage implant that can execute various payloads, including an information stealer known as Rhadamanthys.
Dec 12, 20252 min read
bottom of page
