All news with #github tag

🔒 GitHub has introduced staged publishing on npm, requiring a human maintainer to complete a two-factor authentication (2FA) challenge before a package version becomes publicly installable. The prebuilt tarball is uploaded to a staging queue and only becomes available after explicit approval. Maintainers must have publish access, an existing package, and enabled 2FA. GitHub also added three install-source flags to control non-registry installs.

🔒 GitHub said hackers accessed approximately 3,800 internal repositories after a developer installed a malicious version of the Nx Console Visual Studio Code extension that was poisoned during last week's TanStack npm supply-chain attack. The intrusion, linked to the actor known as TeamPCP, used stolen CI/CD credentials to move into multiple projects including UiPath, Guardrails AI and OpenSearch. GitHub secured the compromised device, rotated high-impact secrets and continues log analysis and monitoring to detect follow-on activity.

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.

🔒 GitHub confirmed that a third party accessed roughly 3,800 internal repositories after a likely “poisoned” Visual Studio Code extension was found on an employee device on May 19. The intrusion was claimed by the TeamPCP group, which posted on the Breached forum and linked the access to private source code. GitHub says it has contained the incident, removed the malicious extension, isolated the endpoint and prioritized rotation of critical secrets. The company will publish a more detailed report when its investigation is complete.

🔒 GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the company removed the malicious version from the Marketplace and isolated the compromised device. It says its current assessment indicates exfiltration was limited to GitHub-internal repositories and that it has found no evidence so far of customer data outside the affected repos being impacted. The incident is under active investigation while GitHub continues incident response.

🔒 Grafana Labs said an investigation into its May 11, 2026 incident found no evidence that customer production systems or Grafana Cloud operations were compromised. The company said the scope was limited to its GitHub environment, where both public and private source code and internal repositories containing business contact names and emails were accessed. Grafana attributed the breach to the TanStack npm supply chain attack by TeamPCP, rotated tokens, enhanced monitoring, and audited commits to secure its repositories.

🔒 GitHub is investigating unauthorized access to its internal repositories after the hacker group TeamPCP posted on the Breached forum claiming possession of approximately 4,000 private code repositories and seeking at least $50,000. GitHub said it currently has no evidence that customer data stored outside its internal repositories was affected and is monitoring infrastructure for follow-on activity. The company will notify any affected customers through established incident channels. TeamPCP has been linked to previous supply-chain compromises, raising broader concerns.

🔒 GitHub is investigating unauthorized access to internal repositories after threat actor TeamPCP listed what it claims is the platform's source code and internal org data for sale. The company says it has no current evidence of customer impact outside internal repositories and has rotated critical secrets while monitoring for follow-on activity. GitHub reported the compromise involved a poisoned Visual Studio Code extension and directional consistency with the attacker's claim of ~3,800 repositories.

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.

🔒 The npm registry suffered a fast-moving supply-chain compromise on May 19 after attackers gained access to a high-privilege maintainer account (atool), pushing 637 malicious versions across 317 packages and infecting a large portion of the AntV namespace. The payload, a Mini-Shai-Hulud worm, steals npm/GitHub tokens and credentials and exfiltrates data to public GitHub repositories. AntV maintainers deleted infected versions, deprecated remaining packages, and advised users to audit, rotate credentials, and install known-safe releases.

🔒 GitHub is shifting low-impact bug bounty payouts from cash to swag and asking researchers to stop submitting low-quality or out-of-scope reports. The company says a sharp rise in submissions—exacerbated by generative AI tools—has produced many reports that don’t show meaningful security impact. GitHub welcomes AI-assisted research but requires human validation of AI-generated findings and will exclude certain report types from rewards. The change aims to speed triage and prioritize substantive vulnerabilities.

🔒 Grafana Labs disclosed that an unauthorized party obtained a token granting access to its GitHub environment and downloaded portions of its source code. The company says its investigation found no customer data or personal information were accessed and no customer systems were impacted. It invalidated the compromised credentials, initiated forensic analysis, and implemented additional security controls. Reported extortion demands were received but Grafana has declined to pay.

🛡️ A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) published to the Microsoft VS Code Marketplace delivered a multi-stage credential stealer and supply-chain poisoning payload to developers' machines. The obfuscated 498 KB payload, pulled from an orphaned commit in the official nrwl/nx GitHub repo, installs the Bun runtime and a Python backdoor on macOS while exfiltrating secrets via HTTPS, GitHub API and DNS tunneling. The maintainers traced the incident to a developer whose GitHub credentials were exposed, revoked access, and advised users to update to v18.100.0 or later and rotate exposed tokens and keys.

📌 Grafana Labs says attackers used a stolen GitHub access token to access and download parts of its internal source code repository. The intrusion was claimed by the extortion group CoinbaseCartel, which added Grafana to its data leak site, though no customer data has been published. Grafana reports forensic analysis found no evidence of exposed customer or personal data and that customer systems were unaffected. The company invalidated the compromised credentials, refused the extortion demand, and will publish a detailed post-incident report after completing its investigation.

🔒 Grafana disclosed that an unauthorized party obtained a token that allowed access to its GitHub environment and the download of parts of its codebase. The company says no customer data or personal information were accessed and that it launched a forensic investigation, invalidated the compromised credentials, and implemented additional security controls. The attacker attempted to extort Grafana, demanding payment to avoid publishing stolen material, but the company declined to pay following FBI guidance. Reports link the claim to CoinbaseCartel, a recent data‑extortion group.

⚠️ Socket reports a wave of the Mini Shai‑Hulud campaign modified 84 npm artifacts in the @tanstack namespace on 11 May 2026, inserting a heavily obfuscated credential‑stealing payload. Attackers abused GitHub Actions via the pull_request_target pattern, cache poisoning and runtime OIDC token extraction to hijack release pipelines. Affected packages included high‑download modules like @tanstack/react-router, and the GitHub Advisory Database rated the incident critical.

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.

🛡️ GitHub patched a critical remote code execution bug, CVE-2026-3854, reported by Wiz on March 4, 2026, that could have allowed attackers to access millions of private repositories. The company reproduced the issue within 40 minutes and deployed a fix to GitHub.com in under two hours. The flaw affected GitHub.com and multiple Enterprise offerings and could be triggered by a single crafted git push that injects unsafe metadata fields. GitHub’s forensic review found no evidence of exploitation prior to the researcher disclosure, and patches for GitHub Enterprise Server releases are available now; administrators are urged to upgrade immediately.