github - TrustStrike Labs

breach

2026-05-12

Identity governance vendor SailPoint discloses GitHub repository breach - third-party app flaw to blame

SailPoint, the identity governance vendor used by many large enterprises, disclosed in a SEC 8-K filing that attackers gained unauthorized access to a subset of its GitHub repositories on April 20. The company's incident response team contained the intrusion the same day. SailPoint says no customer data in production or staging was accessed and its services were not interrupted. The root cause was a vulnerability in a third-party application, which has been remediated. SailPoint notified affected customers directly and says no further customer action is needed. The company has not disclosed what data was actually in the impacted repos.

sailpoint identity github supply-chain saas

Check: If you use SailPoint (IdentityNow, IdentityIQ, or related products), check whether you received a direct notification dated after April 20, 2026, and review the scope details in your account portal.
Affected: SailPoint customers who received a direct breach notification dated on or after April 20, 2026. The company has not publicly disclosed which products, repositories, or customer subsets were specifically named in the notifications. No customer data in production or staging environments was accessed per SailPoint's SEC filing.
Fix: Follow guidance in your direct SailPoint notification. As a precaution, rotate any API tokens or service-account credentials issued for SailPoint integration over the past 12 months. Review SailPoint integration audit logs for unexpected activity from April onward. Ask SailPoint for the name of the third-party application whose flaw caused the intrusion - your organization may use it elsewhere.

threat

2026-05-05

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

quasar-linux qlnx trend-micro linux-rat developer-targeting supply-chain-precursor ebpf rootkit pam-backdoor npm pypi github aws docker kubernetes fileless

Check: Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected: Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix: Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.

vulnerability

CVE-2026-3854

2026-04-29

GitHub patched a flaw in March that let any developer take over millions of repos with a single 'git push' - 88% of self-hosted GitHub Enterprise Servers still haven't installed the fix (CVE-2026-3854)

Update on the GitHub flaw covered yesterday: Wiz, who found the bug, published its full disclosure showing 88% of self-hosted GitHub Enterprise Servers were still unpatched at public disclosure on April 28. The bug let any user with push access to one repository run code on the GitHub server itself with a single 'git push'. On GitHub.com, the same bug exposed millions of public and private repositories belonging to other users sharing the same storage node. GitHub.com was patched within 75 minutes, but Enterprise Server installs need patching manually. Wiz found the bug using AI-augmented reverse engineering on closed-source GitHub binaries.

github ghes enterprise-server rce x-stat wiz ai-reverse-engineering 88-percent-unpatched followup

Check: If you run a self-hosted GitHub Enterprise Server, check today whether you're on a patched version and upgrade if not.
Affected: Self-hosted GitHub Enterprise Server instances on versions before the March 2026 patches. CVSS 8.7. Wiz data shows 88% of GHES instances were unpatched at disclosure. The bug needs push access to any repository, including one the attacker creates themselves. GitHub.com and Enterprise Cloud variants are already patched.
Fix: Upgrade to GHES 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. Audit /var/log/github-audit.log for push operations with semicolons or unusual special characters in push option values - that's the exploit signature. Until patched, restrict push access and remove unnecessary repository creators.

threat

2026-03-27

Fake VS Code security alerts flooding GitHub Discussions to spread malware

Thousands of fake Visual Studio Code vulnerability warnings are being posted across GitHub Discussions in automated waves - all from freshly created accounts. The posts use realistic titles like 'Severe Vulnerability - Immediate Update Required' with fabricated CVE IDs to pressure developers into downloading malware from Google Drive links. The payloads fingerprint victims before delivering secondary attacks, acting as a traffic distribution system.

github vscode phishing social-engineering developers

Check: Warn your development team - never download VS Code updates from GitHub Discussion links or Google Drive.
Affected: Any developer using GitHub who encounters a VS Code security alert in Discussions with an external download link.
Fix: Only update VS Code through the built-in updater or code.visualstudio.com. Verify any CVE IDs against NVD or CISA KEV before acting on them.

threat

CVE-2026-20700 CVE-2025-43529 CVE-2025-14174

2026-03-23

DarkSword iOS exploit kit leaked on GitHub - hundreds of millions of unpatched iPhones at risk (CVE-2026-20700)

A government-grade iPhone hacking toolkit called DarkSword was leaked on GitHub on March 23 - and researchers say it's trivially easy to use. Written entirely in HTML and JavaScript, anyone can host it and hack iPhones running iOS 18.4 through 18.7.1. It chains six vulnerabilities including three zero-days for full device takeover, stealing messages, location data, and crypto wallets. Roughly a quarter of all iPhones remain on vulnerable versions.

apple ios iphone zero-day exploit-kit github

Check: Check all company iPhones and iPads for outdated iOS versions.
Affected: iOS 18.4 through 18.7.1. Also iOS 13 through 17.2.1 via the related Coruna exploit kit.
Fix: Update to iOS 18.7.2 or later (or iOS 26.3). Enable Lockdown Mode on high-risk devices. Push MDM policies to enforce updates.