Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: github (16 articles)Clear

Clean GitHub repos trick AI coding agents into fetching and running malware

Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.

Check
Review how your AI coding agents and developers set up unfamiliar repositories, and check whether setup or build commands can make outbound network or DNS requests that fetch and execute external content.
Affected
Developers and teams that let AI coding agents automatically run setup steps for untrusted repositories; the malicious payload is fetched at setup time over DNS, so scanning the repository alone misses it.
Fix
Run repository setup for untrusted code in sandboxes without credentials, restrict outbound network and DNS during setup, and treat agent setup and build commands as untrusted code execution rather than safe automation.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

VS Code zero-day lets one click steal full-scope GitHub OAuth token via github.dev webview - PoC public, no patch yet

Security researcher Ammar Askar has released exploit code for an unpatched VS Code zero-day that lets attackers steal GitHub OAuth tokens with a single click. The flaw abuses VS Code's sandboxed webview message-passing system: malicious JavaScript in a webview simulates keypresses in the main editor to install a malicious extension that captures the GitHub OAuth token github.com POSTs to github.dev. The token is not scoped to a single repo - it grants full access to every private repository the victim can reach. No CVE has been assigned and there is no patch. Users can mitigate by clearing github.dev cookies and on-device site data, which restores the sign-in prompt.

Check
Inventory developer machines using VS Code and github.dev. Warn developers not to click untrusted links that open github.dev. Audit installed VS Code extensions for unfamiliar additions.
Affected
VS Code users who authenticate to github.dev. The leaked GitHub OAuth token is unscoped, granting full access to every private repository the victim can reach. No patch or CVE yet.
Fix
Until patched: clear github.dev cookies and on-device site data so the sign-in prompt reappears. Treat unsolicited github.dev links as hostile. Rotate GitHub tokens if exposure is suspected.

Microsoft denounces uncoordinated zero-day disclosures after Chaotic Eclipse (Nightmare Eclipse) drops 6 CVEs - GitHub and GitLab accounts removed

Microsoft has come out strongly against uncoordinated zero-day disclosures after researcher Chaotic Eclipse (also Nightmare-Eclipse) dropped technical details of six Windows zero-days over the past month, citing a breakdown in Microsoft's disclosure process. The CVEs include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma; BlueHammer, RedSun, and UnDefend are now under active exploitation. GitHub removed the researcher's account; a GitLab re-upload account was also blocked. Microsoft is urging coordinated vulnerability disclosure but the researcher publicly disputes Microsoft's responsiveness, citing months of waiting for fixes. The incident highlights ongoing friction between solo researchers and large vendor PSIRTs.

Check
Apply the Microsoft patches for BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and YellowKey (CVE-2026-45585) immediately. Monitor for further leaked PoC code.
Affected
Windows endpoints unpatched against the six Nightmare Eclipse zero-days. Three (BlueHammer, RedSun, UnDefend) are confirmed under active exploitation. GreenPlasma and MiniPlasma also have public details.
Fix
Patch all six CVEs via current Windows updates. Block known exploit-PoC mirrors at egress. Watch GitHub/GitLab for re-uploaded code and add the corresponding hashes to detection rules.

Malicious npm package 'mouse5212-super-formatter' steals files from Claude AI /mnt/user-data directory, exfiltrates to attacker GitHub via postinstall

OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.

Check
Search npm install logs and CI/CD for mouse5212-super-formatter. On any host that ran it, audit /mnt/user-data access and outbound GitHub API calls. Rotate exposed GitHub tokens.
Affected
Developers and AI-tooling users who installed mouse5212-super-formatter (676 downloads, still live). Systems with Claude's /mnt/user-data directory and a GitHub token in the environment are the target.
Fix
Remove the package and pin dependencies via lockfile. Rotate every GitHub token reachable from affected hosts. Treat uploaded/output files in /mnt/user-data as potentially exfiltrated.

GitHub ships npm 11.15.0 with 2FA-gated staging, OIDC trusted publishing, and per-source install flags in response to TeamPCP wave

GitHub has shipped npm CLI 11.15.0 introducing a 'staging' workflow that lets maintainers run 'npm stage publish' to push a candidate to a staging area before going live - with the constraint that the package must already exist on the registry and have 2FA enabled on the account. Three new install flags (--allow-file, --allow-remote, --allow-directory) extend the existing --allow-git to give developers an explicit allowlist for every non-registry install source. GitHub is also encouraging maintainers to pair staging with trusted publishing via OIDC. The changes respond to the TeamPCP supply-chain wave that compromised hundreds of packages over the past several weeks.

Check
Inventory developer machines using npm CLI. Upgrade to 11.15.0+ to access the staging workflow. Identify high-impact packages your team publishes and require 2FA on those maintainer accounts.
Affected
Any npm publisher whose tokens or maintainer accounts could be hijacked. The TeamPCP wave hit 600+ packages in one hour on May 19 by abusing maintainer accounts.
Fix
Adopt 'npm stage publish' for production packages. Enable 2FA on all maintainer accounts. Configure trusted publishing via OIDC where supported. Apply --allow-file / --allow-remote / --allow-directory selectively in CI.

Lawmakers demand answers from CISA over GitHub credential leak; agency still hasn't rotated all exposed keys a week later

A week after CISA was first notified of credentials leaking from its Private-CISA GitHub repository, the agency is still working to invalidate and replace many of the exposed keys, according to TruffleHog creator Dylan Ayrey. On May 19, Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez sent letters demanding answers, noting CISA has lost a third of its workforce and almost all senior leaders to forced retirements and buyouts. An RSA private key giving full read access to every CISA-IT GitHub repository was still active when Ayrey re-tested on May 20; CISA rotated it after KrebsOnSecurity's notification, but other critical credentials reportedly remain unrotated.

Check
If you are a Federal civilian agency, check whether CISA has reissued any credentials, tokens, or runner registrations that integrate with your environment. Treat shared secrets as still potentially exposed.
Affected
Any organization that integrates with CISA's GitHub estate, GitHub Apps owned by the CISA enterprise account, or CISA-IT internal CI/CD pipelines. Federal civilian agencies are primary.
Fix
Rotate any tokens or webhooks shared with CISA-IT systems pending the agency's full remediation. Use TruffleHog or GitGuardian to scan your own GitHub estate for the same class of leak.

GitHub confirms 3,800 internal repos stolen after employee installed malicious Nx Console VS Code extension (TeamPCP)

GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.

Check
Identify VS Code endpoints with the Nx Console extension. Confirm version is 18.100.0 or newer. Check for cat.py and kitty-monitor IoCs and outbound traffic to attacker C2 published by Nx.
Affected
Any developer machine that installed Nx Console 18.95.0 during the 11-minute window on May 18 (12:36-12:47 UTC). GitHub.com itself confirms 3,800 internal repos exfiltrated from one employee device.
Fix
Update to Nx Console 18.100.0. Audit access from GitHub-employee or contractor devices; rotate every credential, token, and SSH key reachable from machines that ran the trojanized version.

TeamPCP claims ~4,000 GitHub internal repos stolen and for sale on Breached forum, GitHub confirms investigation

GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.

Check
Audit GitHub Actions workflows for refs pulled via pull_request_target from forks. Inventory developer machines that synced internal-org repos in the last 30 days for unusual outbound git pushes.
Affected
GitHub.com users specifically: TeamPCP's claim is limited to GitHub's own internal repos so far. Downstream impact is possible if private code referencing customer secrets is leaked.
Fix
Wait for GitHub's official notification. Rotate any tokens or PATs that lived in repositories you suspect could be referenced by GitHub internal code, and assume secret-scanning rules might be reverse-engineered.

CISA contractor leaked AWS GovCloud admin keys and dozens of plaintext passwords on public GitHub

A contractor with administrative access at CISA, the US agency that tells everyone else how to do cybersecurity, ran a public GitHub repository called Private-CISA that exposed administrative AWS GovCloud keys, plaintext passwords in CSVs for internal CISA systems, and credentials to the agency's internal artifactory. The owner had even disabled GitHub's default secret-scanning protections. Researcher Philippe Caturegli of Seralys validated that the AWS keys still worked against three high-privilege GovCloud accounts and could have given an attacker a launchpad to deploy backdoors into CISA's internal build pipelines. CISA says it is investigating and has seen no evidence of compromise.

Check
Search your GitHub org for repos named after internal projects, scan public-fork history with TruffleHog or GitGuardian, and verify GitHub push-protection is enabled at the org level.
Affected
Any organization where individual administrators can publish secrets to public GitHub repositories and override the default push-protection settings. CISA itself was the named victim.
Fix
Enforce GitHub Advanced Security push-protection and secret scanning at the org level. Rotate any AWS keys whose hashes appear in public commits. Treat developer GitHub accounts as Tier-0 identities.