Supply Chain

More than 30 npm packages in Red Hat's @redhat-cloud-services namespace were compromised and used to deliver credential-stealing malware to developers who installed them. Researchers say attackers likely took over a Red Hat employee GitHub account, added malicious GitHub Actions workflows, and abused npm trusted publishing to release 96 backdoored package versions. The malware, a new Shai-Hulud variant dubbed Miasma, targeted GitHub Actions secrets, cloud credentials, SSH keys, package publishing tokens, Vault tokens, Kubernetes service-account tokens, Docker credentials, GPG keys, and .env files. — Developers and organizations that installed the affected packages may have had sensitive keys and tokens stolen, which can lead to wider compromise of code, cloud systems, and build pipelines. This is urgent: identify affected installs, remove the packages, and rotate all credentials and secrets that were present on impacted machines or CI/CD systems.

GitHub disabled more than 70 Microsoft repositories after attackers allegedly used a compromised contributor account to push malicious commits into projects including Azure/durabletask and Azure/functions-action. StepSecurity says the Miasma worm planted configuration files that could trigger remote code execution when a developer opened the repository in an integrated development environment or AI coding tool such as Claude Code, Gemini CLI, or Cursor, and the takedowns disrupted workflows that depended on Azure/functions-action@v1. — This affects developers and organizations that rely on Microsoft's open-source Azure tooling, with both supply-chain risk and immediate build-pipeline disruption. Teams using the affected repositories should review recent commits, rotate contributor and automation tokens, check developer machines for malicious config execution, and verify dependencies before restoring pipelines.

Attackers compromised 19 Python packages on PyPI, including popular science and bioinformatics tools, and planted malware that can steal secrets from developer machines and continuous integration systems. Socket linked the activity to the broader Shai-Hulud campaign and said 37 malicious releases used executable .pth startup hooks to trigger code when Python starts, then fetched the Bun JavaScript runtime to run an obfuscated payload that targeted GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, SSH, Docker, Vault, and Claude/MCP credentials. — Developers, researchers, and organizations using these packages may have had passwords, tokens, and cloud keys stolen without obvious signs. Anyone who installed affected versions should treat the environment as compromised, rotate secrets, and rebuild from known-good backups.

GitHub says npm 12 will no longer run package install scripts by default, changing behavior that has long let malicious dependencies execute code on developer machines and continuous integration systems. The July release will disable automatic preinstall, install, and postinstall lifecycle scripts unless explicitly allowed with allow-scripts, turn --allow-git off by default, and set allow-remote to none to block remote URL dependency downloads; the move follows repeated supply-chain abuse, including Shai-Hulud-style malicious packages. — Developers and organizations that use npm may need to update build and install workflows before npm 12 ships, but the change should reduce one of the ecosystem's biggest package-based malware risks. Security teams should test projects now, identify legitimate packages that need script exceptions, and tighten CI defaults.

A newly disclosed Visual Studio Code flaw can let attackers steal a victim’s GitHub sign-in token with a single click on a malicious link, potentially exposing all private repositories that account can access. Researcher Ammar Askar published proof-of-concept exploit code on June 3, 2026; no CVE has been assigned and no official patch is available. The bug abuses message passing between sandboxed webviews and the main editor in github.dev, allowing a malicious extension to be installed and extract a broad GitHub OAuth token. — Developers, maintainers, and employees who use github.dev or VS Code-linked GitHub workflows could have source code and other private repository data exposed before a fix is available. Until Microsoft and GitHub ship a patch, users should treat github.dev links cautiously and clear github.dev cookies/site data so unexpected extension sign-in prompts appear.

A newly disclosed flaw in Gogs can let attackers take over internet-exposed code servers if they can register a normal user account. The unpatched argument-injection vulnerability, not yet assigned a CVE, affects Gogs 0.14.2 and 0.15.0+dev and is triggered during the "Rebase before merging" pull-request flow; because open registration is enabled by default, many default-configured servers may be reachable by unauthenticated attackers who simply sign up first. Rapid7 says successful exploitation can lead to remote code execution as the server process user, access to private repositories, and theft of password hashes, API tokens, SSH keys, and 2FA secrets. — Organizations running self-hosted Gogs should treat this as urgent because exposed servers may be compromiseable even without an existing attacker account. Until a fix is available, admins should disable open registration, restrict internet exposure, and review whether rebase-merging can be turned off or tightly limited.

Researchers say a compromised npm maintainer account ('atool') was used to publish hundreds of malicious package versions across the @antv namespace, including downstream widely used packages such as echarts-for-react and timeago.js. The payload steals GitHub Actions secrets and credentials from cloud, Kubernetes, Vault, wallet, and developer-tool paths, exfiltrates data via GitHub and fallback infrastructure, and can republish tampered packages using stolen npm tokens. Reports also link the campaign to malicious PyPI uploads, a compromised GitHub Action, and a VS Code extension. — This is a high-impact ecosystem compromise with downstream risk to developer workstations, CI environments, and software consumers through trusted package updates. Defenders should immediately identify affected package versions, rotate exposed secrets and npm tokens, review CI runners and GitHub repositories for exfiltration, and block known malicious artifacts.

Oxford University says a separate breach at its CareerConnect jobs platform exposed users’ full names and email addresses, and encrypted passwords for people not using single sign-on. The affected service is provided by Group GTI and runs on its TargetConnect platform, which Oxford said was compromised on May 28 through an unspecified security vulnerability that has since been fixed; affected alumni, research staff, and employer users had passwords reset, and GTI has not publicly disclosed the flaw or total scope. — Students, alumni, staff, and recruiters who used the platform may now face phishing or credential-stuffing attempts, especially if they reused passwords elsewhere. Affected users should reset reused passwords, watch for convincing job-related scam emails, and universities using GTI TargetConnect should press the vendor for technical details and mitigation guidance.

Toshiba and Muji warned that visitors to some of their web pages saw unexpected browser sign-in prompts that could trick people into entering credentials. The prompts were tied to lingering references to the compromised polyfill.io JavaScript content delivery network (CDN), which began responding with HTTP 401 authentication challenges in late May 2026; affected companies removed or suspended the service, and no confirmed credential theft has been reported so far. — People who entered usernames or passwords into these pop-ups should change them, and website owners should remove any remaining polyfill.io code immediately. This matters because it shows how a long-abandoned third-party script can still create phishing risk years after an earlier supply-chain compromise.

The European Commission unveiled a new tech sovereignty package meant to reduce the European Union's dependence on U.S. and Chinese technology suppliers. The package includes draft laws for semiconductors and cloud and AI infrastructure, plus an Open Source Strategy that would fund maintenance and security for critical open-source components and push public-sector procurement toward open technologies as part of broader digital resilience planning. — This matters to governments, public-sector buyers, vendors, and defenders because it could reshape which technologies Europe relies on for critical systems and how security funding is directed, especially for open-source components that underpin widely used infrastructure. Organizations should watch the legislative process, procurement changes, and any resulting security requirements for cloud, AI, and software supply chains.

Hola says its Windows browser installer was compromised and, in some cases, delivered hidden mining malware to users. AppEsteem certification checks and analysis by Sophos found an undeclared executable, 'me.exe,' installed under the Hola program folder; the binary was unsigned, obfuscated, added a Microsoft Defender exclusion, copied itself as 'HolaMonitorService.exe,' created the 'hola_monitor_svc' Windows service for persistence, and appeared to mine Monero when the PC was idle. Hola said about 0.1% of users were affected and that it rebuilt its distribution pipeline after separately confirming the compromise with Sygnia. — People who installed Hola Browser on Windows may have unknowingly run malware that abuses their computer for cryptocurrency mining and weakens local defenses. Affected users and admins should treat this as urgent: verify installations, look for the named files and service, remove Hola if necessary, and reinstall only from a trusted, verified build.

Attackers uploaded 36 malicious npm packages carrying a new malware strain called IronWorm, putting developers and continuous integration systems at risk if they installed the poisoned versions. JFrog says the Rust-based malware steals 86 environment variables and 20 credential-file types, including AWS, OpenAI, Anthropic, npm, SSH, vault, and crypto-wallet data; it was first linked to the compromised npm account 'asteroiddao' and can self-propagate by abusing stolen npm publishing and Trusted Publishing secrets to push trojanized package updates. — This can spread from one compromised developer or build system into many other packages and organizations, making it a high-priority software supply-chain threat. Developers and defenders should identify any affected package versions, upgrade to clean releases, rotate exposed credentials, review GitHub Actions and npm publishing tokens, and enforce two-factor authentication.

A flaw in Anthropic's Claude Code GitHub Action could let an attacker use one malicious GitHub issue or comment to hijack affected repositories. The issue affected the GitHub Action integration for Claude Code, where untrusted issue content could be turned into dangerous workflow commands and expose repository secrets or enable unauthorized code changes in automation runs; the article does not provide a CVE in the supplied text. — Projects using the Claude Code GitHub Action may have been exposed to repository takeover through normal issue-tracker interactions, making this a high-priority supply-chain and automation risk. Maintainers should review Anthropic's fix guidance, restrict workflow permissions, rotate exposed secrets, and treat issue-triggered automation as untrusted until patched.

A single attacker published 14 malicious npm packages that pretended to be OpenSearch, Elasticsearch, and related developer tools, putting developers and build systems at risk of secret theft. Microsoft said the packages were uploaded under the alias "vpmdhaj" and used typosquatting, spoofed metadata, and inflated version numbers; on install, preinstall hooks fetched a second-stage credential harvester targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and npm tokens. The packages were removed after publication. — Anyone who installed or built these packages may have exposed credentials that can be reused to access cloud accounts, code pipelines, and package publishing systems. Organizations should identify affected installs from May 28 onward, rotate AWS Identity and Access Management or Security Token Service credentials, Vault tokens, npm publish tokens, and GitHub Actions secrets, and review for follow-on compromise.

A flaw in Gitea could let outsiders download supposedly private software container images from many self-hosted code servers. NoScope says CVE-2026-27771 is an access-control bug in Gitea’s built-in container registry, also affecting Forgejo, where anonymous Docker/OCI pull requests could retrieve private images; Gitea patched it in version 1.26.2, and Shodan data suggested roughly 31,750 internet-facing instances were likely vulnerable. — Private container images can contain source code, credentials, and details about production systems, so this exposure could hand attackers valuable access and intelligence. Organizations running self-hosted Gitea or Forgejo should update to 1.26.2 immediately or enforce authentication for all content access if possible.

Security firms say they disrupted the GlassWorm botnet, a malware operation that infected developers and open source software ecosystems and could be used to steal credentials, cryptocurrency wallet data, and remote access to infected machines. CrowdStrike says GlassWorm spread through trojanized Visual Studio extensions on OpenVSX and later through GitHub and compromised Python projects, while using Solana blockchain transactions, Google Calendar, BitTorrent and VPS-hosted servers as layered command-and-control channels. The malware hid code with Unicode variation selectors and stole npm, GitHub and Git credentials, creating downstream software supply-chain risk. — This matters because a compromise of developers can spread to the software and updates many other organizations rely on. Teams should check for beaconing to 164.92.88[.]210, investigate developer machines and repositories for compromise, rotate exposed credentials, and review software supply-chain protections.

Researchers say attackers can abuse trusted-looking project files in code repositories to make AI coding agents install attacker-controlled components and run malicious code on a developer's machine or in continuous integration (CI) systems. Adversa's 'SymJack' technique uses disguised symbolic links (symlinks) and a copy command to silently register a malicious Model Context Protocol (MCP) server; the firm says it worked against Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub Copilot CLI, and published a proof of concept on GitHub. Anthropic reportedly hardened Claude Code to resolve symlinks before approval and show the true destination path. — Teams using AI coding agents could unknowingly approve changes that steal SSH keys, cloud tokens, browser sessions, or CI secrets and then push malicious code downstream. This is urgent for developers and DevOps teams using agentic coding tools: review repository trust assumptions, restrict or audit MCP server registration, scrutinize file-copy prompts, and apply vendor mitigations where available.

The Oncology Institute says a breach at an outside software services provider affected patient information in its systems. TOI said Kroll notified it on May 20, 2026 that the vendor detected unauthorized access to TOI information systems, including systems containing patient data; the vendor was not named, but the timeline and disclosure process point to Cognizant-owned TriZetto Provider Solutions as a possible match. TOI operates more than 100 clinics across five U.S. states. — Cancer patients and healthcare staff may face privacy risks and follow-on fraud if their information was exposed. Affected users should watch for breach notices and suspicious calls or emails, while healthcare organizations using the same vendor should review exposure and incident-response steps immediately.

Attackers compromised Laravel Lang localization packages and made legitimate-looking Composer installs fetch malware instead. The attackers rewrote existing GitHub release tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to point to malicious commits in a fork, affecting hundreds of historical versions; the payload drops a PHP stealer that targets cloud keys, CI/CD secrets, SSH keys, browser data, crypto wallets, and on Windows launches a helper executable dubbed DebugElevator to decrypt Chromium-based browser credentials. — Developers and organizations that installed these packages could have had passwords, cloud credentials, and deployment secrets stolen without realizing it. Treat this as urgent: identify affected installs, remove compromised versions, rotate any exposed secrets, and review developer and build systems for follow-on access.

A new automated attack dubbed Megalodon pushed malicious commits to more than 5,500 GitHub repositories, putting developers and organizations that merge those changes at risk of credential theft. Researchers say the malware runs in continuous integration and continuous delivery (CI/CD) pipelines after a poisoned commit is merged, then steals GitHub, Bitbucket, AWS, Google Cloud, Azure, SSH, Docker, Kubernetes, Vault, and Terraform secrets and can spread further; SafeDep also linked backdoored Tiledesk npm releases 2.18.6 through 2.18.12 to a compromised GitHub repository rather than a stolen npm account. — This can turn a routine code merge into a cloud-account and source-code compromise, especially for organizations that automatically build code from GitHub. Repo maintainers and security teams should review recent pull requests and commits, block suspicious automation, rotate CI/CD and cloud secrets, and check whether affected packages or repositories were used.

KrebsOnSecurity reports that a public GitHub repository maintained by a CISA contractor exposed sensitive internal files, plaintext passwords, tokens, and administrative credentials for three AWS GovCloud accounts and other CISA systems. Researchers said some credentials were valid and could authenticate to high-privilege GovCloud environments, and the repository also exposed internal software build and artifactory access details. — This is a major breach-risk event affecting a U.S. federal cybersecurity agency, with potential impact on internal systems, software supply-chain integrity, and government cloud environments. Affected parties need credential rotation, repository auditing, and investigation of possible unauthorized access.

Grafana says attackers gained access to its private GitHub repositories after a GitHub workflow token was missed during rotation following the TanStack npm supply-chain attack. The malicious TanStack package executed in Grafana's CI/CD environment, exfiltrated workflow tokens, and led to theft of source code plus some operational business contact information. Grafana says no customer production systems or cloud data were affected. — This matters to defenders because it shows how downstream victims of an npm supply-chain compromise can remain exposed if token rotation is incomplete. Organizations using GitHub Actions and affected TanStack packages should review CI/CD secrets, token scope, and repository access logs.

GitHub confirmed that an employee device was compromised after installing a trojanized VS Code extension, leading to exfiltration of roughly 3,800 internal repositories. The company says it removed the malicious extension from the VS Code Marketplace, isolated the endpoint, and found no evidence that customer data stored outside the affected repos was impacted. TeamPCP claimed responsibility and advertised the stolen code for sale. — This is a significant source-code breach at a core software development platform, with potential downstream supply-chain and trust implications. GitHub users and defenders should watch for follow-on disclosures about exposed secrets, internal tooling, or abuse tied to the stolen repositories.