Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to s...
20 articles
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to s...
Researchers uncovered 222 GitHub repositories spreading malware through fake Go packages, delivering loaders, stealers, RATs, and cryptominers. Socket’s secu...
Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node Package Manager (npm) that stol...
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and use...
Millions of developers share their keyboard with GitHub Copilot. Inside Visual Studio Code, it opens their files, writes and edits code, runs scripts, and re...
GitHub Copilot’s new coding agents, which are integrated into IDEs, are susceptible to a specific type of “workflow-level” jailbreak attacks. These attacks c...
Developers are pushing code and opening pull requests across economy borders at a rate GitHub has rarely seen. Outbound collaboration, the sum of git pushes ...
GitHub continues to be a scintillating target for attackers because it sits in the middle of the software supply chain and gives threat actors three things t...
Attackers can silently clone “Verified” GitHub commits by abusing signature malleability in Git’s commit-signing formats, creating byte‑different commits wit...
A prompt injection attack can trick GitHub’s preview Agentic Workflows into retrieving content from private repositories and publishing it publicly, exposing...
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, s...
An issue opened on a public repository can lead the agent to disclose private details.
Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authe...
A critical vulnerability known as “GitLost” has been discovered in GitHub’s newly introduced Agentic Workflows by Noma Labs. This flaw allows unauthenticated...
A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have show...
ActiveState explains how GitHub Actions attack chains can evade traditional CI security scanners, why passing a scan doesn't guarantee a secure pipeline, and...
Noma Labs details GitLost, a prompt injection flaw that made GitHub's AI agent expose private repo data through a crafted public issue and guardrail failures.
A newly disclosed high-severity vulnerability in PHP, tracked as CVE-2026-12184, poses a significant risk to web applications by allowing a remotely triggera...
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in...
A coordinated supply-chain campaign has been weaponizing GitHub proof-of-concept (PoC) repositories to compromise vulnerability researchers and penetration t...