Latest Posts

An attacker hijacked a co-founder's GitHub account for gpt-pilot, a 33K-star AI coding tool, and force-pushed a credential-stealing Shai-Hulud payload to the main branch. The ruff Python linter caught formatting and lint violations in the malicious code and blocked the CI build -- twice. The attacker gave up.

On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations. GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.

self-replicating worm is spreading across the npm registry using binding.gyp, a file that triggers code execution during npm install without touching package.json scripts. The attack bypasses conventional security tools and has already compromised dozens of packages across multiple maintainer accounts.

Several packages in the @redhat-cloud-services npm scope were found to carry malicious payloads that fire via a preinstall hook on every npm install. The affected versions span multiple packages across the RedHat Cloud Services frontend ecosystem. The payload is a sophisticated multi-stage credential harvester that targets GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm tokens, and CircleCI tokens

On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a single 15 minute window. Anyone running composer update or installing fresh against laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes now pulls a payload that exfiltrates CI secrets to a typosquatted attacker domain. StepSecurity confirmed end to end exploitation in an isolated runner and has filed security issues in all four repositories.

A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker never touched your application code, only your pipeline. Most repositories had no idea it happened.

A poisoned VS Code extension breached GitHub. A trojanized PyPI package hit Microsoft. Compromised GitHub Actions and a self-spreading npm worm targeted thousands more. In just 48 hours, attackers hit every layer of the software development pipeline. Traditional security tools did not stop any of it.