< ciso
brief />
Tag Banner

All news with #supply chain compromise tag

576 articles · page 4 of 29

Megalodon campaign backdoors GitHub Actions at scale

🔒 Researchers at SafeDep uncovered the Megalodon campaign that pushed 5,718 malicious commits into 5,561 public GitHub repositories during a six-hour window on May 18. The attackers modified GitHub Actions workflows to embed base64-encoded bash payloads designed to exfiltrate CI-exposed secrets such as cloud credentials, SSH keys, and OIDC tokens. The campaign used compromised Personal Access Tokens or deploy keys and forged author identities like build-bot to directly commit changes without PRs, and delivered two payload variants that either ran on every push or via workflow_dispatch triggers.
read more →

TrapDoor campaign raises developer workstation risk

🛡️ Researchers uncovered the TrapDoor campaign, a cross-registry malicious package operation affecting npm, PyPI, and Crates.io that targets developer workflows and AI coding assistant files. The packages exfiltrated secrets such as AWS credentials, GitHub tokens, SSH keys, browser data, and local dev configs by abusing normal execution points like postinstall scripts, import-time execution, and Rust build scripts. Analysts warn this workflow-focused approach enables persistence and lateral movement into CI/CD and cloud infrastructure, recommending stronger install-time scanning, least-privilege credentials, endpoint hardening, and AI tooling governance.
read more →

Weekly Cyber Recap: Supply Chain and Active Flaws

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.
read more →

GitHub Breach Linked to Malicious Nx Console Extension

🔒 GitHub said hackers accessed approximately 3,800 internal repositories after a developer installed a malicious version of the Nx Console Visual Studio Code extension that was poisoned during last week's TanStack npm supply-chain attack. The intrusion, linked to the actor known as TeamPCP, used stolen CI/CD credentials to move into multiple projects including UiPath, Guardrails AI and OpenSearch. GitHub secured the compromised device, rotated high-impact secrets and continues log analysis and monitoring to detect follow-on activity.
read more →

GitHub Internal Repositories Breached via VS Code Extension

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.
read more →

Mini Shai Hulud: antv npm Packages Compromised in CI/CD

🔒 Microsoft disclosed an active supply-chain attack that compromised an @antv npm maintainer account and published malicious versions of charting libraries, including echarts-for-react. The obfuscated ~499 KB JavaScript payload executes during npm install and targets GitHub Actions runners to harvest secrets from GitHub, AWS, HashiCorp Vault, npm, Kubernetes and 1Password by scraping process memory and enumerating secret stores. The campaign leverages privilege escalation, dual-channel exfiltration, and SLSA provenance forgery to evade detection; GitHub removed malicious packages and invalidated exposed tokens.
read more →

Securing a Culture of Cultures: Microsoft Gaming Risks

🎮 In this Deputy CISO post, Aaron Zollman, Vice President and Deputy CISO for Gaming at Microsoft, outlines the distinct security demands of a global, diverse gaming ecosystem. He describes gaming as a “culture of cultures,” spanning platforms, independent studios, and shared studio central teams, each carrying unique risks from account takeover and IP theft to supply chain and regulatory challenges. Zollman stresses partnership over prescription—balancing enterprise-grade controls with low-latency player experiences and studio autonomy. The piece calls for layered defenses, identity governance, anomaly detection, and tailored baselines to protect billions of interactions while enabling creativity.
read more →

GitHub Confirms Major Breach of 3,800 Internal Repos

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.
read more →

Mini Shai-Hulud Hits Hundreds of AntV npm Packages

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.
read more →

Why Security Fixes Often Miss Vulnerability Dashboards

🔍 On April 22 a trojanized Bitwarden CLI briefly appeared on npm, harvesting developer tokens via a compromised GitHub Action tied to the Checkmarx supply‑chain incident. Bitwarden later issued CVE‑2026‑42994, but the author notes the CVE was retroactive and did not imply a patchable defect. The piece argues CVE’s artifact‑centric model struggles with agentic and model‑mediated threats that mutate behaviorally and often evade dashboards.
read more →

GitHub Breach: ~3,800 Repos Stolen via VS Code Extension

🔒 GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the company removed the malicious version from the Marketplace and isolated the compromised device. It says its current assessment indicates exfiltration was limited to GitHub-internal repositories and that it has found no evidence so far of customer data outside the affected repos being impacted. The incident is under active investigation while GitHub continues incident response.
read more →

Grafana Labs GitHub Breach Exposes Internal Repositories

🔒 Grafana Labs said an investigation into its May 11, 2026 incident found no evidence that customer production systems or Grafana Cloud operations were compromised. The company said the scope was limited to its GitHub environment, where both public and private source code and internal repositories containing business contact names and emails were accessed. Grafana attributed the breach to the TanStack npm supply chain attack by TeamPCP, rotated tokens, enhanced monitoring, and audited commits to secure its repositories.
read more →

GitHub Probes Alleged Internal Repositories Breach

🔒 GitHub is investigating unauthorized access to its internal repositories after the hacker group TeamPCP posted on the Breached forum claiming possession of approximately 4,000 private code repositories and seeking at least $50,000. GitHub said it currently has no evidence that customer data stored outside its internal repositories was affected and is monitoring infrastructure for follow-on activity. The company will notify any affected customers through established incident channels. TeamPCP has been linked to previous supply-chain compromises, raising broader concerns.
read more →

GitHub Investigates Internal Repo Breach and Sale Claims

🔒 GitHub is investigating unauthorized access to internal repositories after threat actor TeamPCP listed what it claims is the platform's source code and internal org data for sale. The company says it has no current evidence of customer impact outside internal repositories and has rotated critical secrets while monitoring for follow-on activity. GitHub reported the compromise involved a poisoned Visual Studio Code extension and directional consistency with the attacker's claim of ~3,800 repositories.
read more →

Microsoft Disrupts Malware Code-Signing Service Ring

🔒 Microsoft has disrupted the infrastructure behind a major malware code-signing service, seizing the group's site signspace[.]cloud and revoking more than 1,000 abused certificates. The company removed hundreds of attacker-controlled Azure virtual machines and linked the operation to a group it calls Fox Tempest. The service sold malware signing-as-a-service to ransomware affiliates, letting signed malicious installers evade Windows warnings and deploy backdoors, infostealers, and ransomware.
read more →

npm supply-chain attack compromises AntV packages

🔒 The npm registry suffered a fast-moving supply-chain compromise on May 19 after attackers gained access to a high-privilege maintainer account (atool), pushing 637 malicious versions across 317 packages and infecting a large portion of the AntV namespace. The payload, a Mini-Shai-Hulud worm, steals npm/GitHub tokens and credentials and exfiltrates data to public GitHub repositories. AntV maintainers deleted infected versions, deprecated remaining packages, and advised users to audit, rotate credentials, and install known-safe releases.
read more →

Microsoft Disrupts Fox Tempest Malware Signing Network

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.
read more →

Shai-Hulud Campaign Infects 600+ npm Packages in AntV

⚠️ The Shai-Hulud campaign rapidly published more than 600 malicious npm package versions across 323 unique packages, primarily targeting the @antv ecosystem but also compromising other widely used libraries. The injected, obfuscated payloads harvest developer and CI/CD secrets and exfiltrate data via the Session P2P network, with GitHub used as a fallback repository to publish stolen artifacts. Researchers from Socket and Endor Labs report the attack includes self-propagation, token reuse, and abuse of CI OIDC tokens, allowing malicious packages to appear legitimately signed. Developers should uninstall affected packages and rotate any exposed credentials immediately.
read more →

Grafana Labs Confirms Codebase Stolen, Ransom Demanded

🔒 Grafana Labs disclosed that an unauthorized party obtained a token granting access to its GitHub environment and downloaded portions of its source code. The company says its investigation found no customer data or personal information were accessed and no customer systems were impacted. It invalidated the compromised credentials, initiated forensic analysis, and implemented additional security controls. Reported extortion demands were received but Grafana has declined to pay.
read more →

Compromised Nx Console Extension Delivers Credential Stealer

🛡️ A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) published to the Microsoft VS Code Marketplace delivered a multi-stage credential stealer and supply-chain poisoning payload to developers' machines. The obfuscated 498 KB payload, pulled from an orphaned commit in the official nrwl/nx GitHub repo, installs the Bun runtime and a Python backdoor on macOS while exfiltrating secrets via HTTPS, GitHub API and DNS tunneling. The maintainers traced the incident to a developer whose GitHub credentials were exposed, revoked access, and advised users to update to v18.100.0 or later and rotate exposed tokens and keys.
read more →