git

GitHub Confirms Breach, 4K Internal Repos Stolen

GitHub confirmed a breach involving the theft of approximately 4,000 internal repositories by the threat actor TeamPCP, who claimed responsibility and offered the stolen data for sale. The breach occurred through a compromised Visual Studio Code extension on an employee's device, and GitHub responded by removing the malicious extension, isolating the endpoint, rotating critical secrets, and continuing incident response investigations.

https://www.darkreading.com/application-security/github-confirms-breach-4k-internal-repos-stolen

Wiz Hands GitHub AI-aided Bug Report That Isn’t Total Slop

Wiz researchers discovered a high-severity vulnerability (CVE-2026-3854) in GitHub's git infrastructure that allowed remote attackers full read/write access to private repositories using a single command. By leveraging AI-augmented tools for automated reverse engineering, they rapidly identified the flaw, leading to GitHub issuing fixes within six hours and awarding Wiz one of the largest payouts in its bug bounty history.

https://www.theregister.com/2026/04/29/github_woah_a_genuinely_helpful/

Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Npm Repos Exposed

Extreme TLDR:
New Shai-Hulud 2.0 attack targets npm packages, affecting 25K+ repos and stealing secrets, with ~700 compromised packages identified. Immediate investigation and remediation recommended for npm environments. Attackers exploit lifecycle scripts for credential theft, leading to widespread credential exfiltration and propagation. Security teams advised to replace compromised packages, rotate credentials, and audit CI/CD environments.

https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

Scroll to Top