TeamPCP is on a rampage through open-source software.

In less than four months, the threat actor has compromised and injected malicious code into more than 1,000 software packages. The extraordinary spree has transformed how software developers and maintainers distribute and manage their code, as their dependencies and repositories have become one of the most effective and prevalent attack vectors this year.

While there has been a host of technical exploits, TeamPCP’s greatest attack has been the uprooting of trust — repeatedly proving that most organizations fail to verify the code they ingest into their systems is legitimate, abusing a nearly blind faith that much of the software development industry relies on to power today’s modern economy.

Starting with Trivy in February, TeamPCP’s attacks have shaken that trust many times over.

The scale of TeamPCP’s attacks lies partly in the automated systems companies use to deploy code, like CI/CD pipelines. It is also capitalizing on new security gaps created by developers’ increasing reliance on AI. Yet, with relatively low effort and unoriginal tactics, TeamPCP is wrecking open-source frameworks and underlying systems at levels the technology community has rarely reckoned with.

“Developers didn’t do a great job of analyzing the security of their open-source dependencies before but, now with AI, there’s in some cases virtually no human in the loop or any kind of sanity check on what these tools are doing,” Feross Aboukhadijeh, founder and CEO at Socket, told CyberScoop.

“You have agents installing packages that haven’t been vetted,” he said. “When an attacker gets in, the impact is even broader because there’s less checks and balances to stop it from affecting everybody.”

TeamPCP hasn’t identified a new problem or proved anything novel. The crux of these attacks hinge on a central theme — defensive vulnerabilities the entire software industry has known about for years. Researchers and developers know the open source trust model is broken and susceptible to sabotage. Yet, the software industry has not fixed this problem. 

“The speed and scale of these attacks is what makes it most notable, not necessarily the methodology behind it, because at the core it is really about exploiting third-party trusts that we have,” said Kimberly Goody, senior manager at Google Threat Intelligence Group.

Software packages are typically subjected to intensive security monitoring to test for vulnerabilities and poisoned updates before they are released to live environments. 

Yet, the real vulnerability highlighted by TeamPCP lies further up the chain of command with the organizations or individuals that publish these packages to the wider market, according to Nathaniel Quist, manager of cloud threat intelligence at Palo Alto Networks.

“It is their responsibility to secure their credentials and not provide a jump off point to trigger a supply-chain event,” he said. “Everything that interacts with or crosses through that zone must be highly monitored and controlled to ensure a compromise can be contained quickly and easily.”

TeamPCP’s motivation

TeamPCP, like any prolific cybercriminal, has captured significant attention from threat hunters since it emerged in late 2025. Google attributes the activity to one core operator.

The company said it traced TeamPCP’s residential and mobile IP address connections to South Africa, indicating the primary operator was located there during at least some of its attacks.

“We don’t believe that there’s an established core group, at least not yet, and that a lot of this has been conducted by an individual,” Goody said. Google declined to name the core operator or confirm it knows the person’s true identity. 

Palo Alto Networks said the core manager of TeamPCP uses the “ResoluteXBF” handle on multiple platforms. The cybersecurity firm is also tracking two additional core members: “diencracked” and “Shinigami.”

If TeamPCP is primarily run by one person, law enforcement has a rare opportunity to make a lasting impact with a single arrest.

TeamPCP has collaborated with other cybercriminals, but most of those partnerships were short-lived and ended in a public feud or otherwise failed to get off the ground in any meaningful way, Goody said.

Researchers have linked TeamPCP to extortion crews, dark web forums and affiliates including Lapsus$, ShinyHunters, Vect, DragonForce, BreachForums and “HasanBroker.” TeamPCP listed about 4,000 private code repositories on a dark web forum with an asking price of $95,000.

The actions to date, including unpredictable behavior, indicate motivations beyond financial gain and a “clear desire for notoriety,” Goody said. “They seem to like to make chaos.”

Quist draws the same conclusion from his months-long investigation, noting that it encourages other cybercriminals to get in on the action, at one point offering financial rewards for the largest software supply-chain attack. 

TeamPCP isn’t in the game for extortion payments, he said. “These actors are more interested in the underground street cred they are gaining” and “causing as much damage and mayhem as possible.”

Victims abound, but exposure limited

TeamPCP has been remarkably noisy, opportunistically injecting malware into open-source software for the purpose of stealing credentials for Kubernetes environments, Amazon Web Services, Microsoft Azure, Google Cloud and many other connected services.

The group’s claimed victim list is staggering: Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, MistralAI, Microsoft DurableTask, Red Hat and Nx Console.

The full collection of packages compromised or poisoned by TeamPCP to date accounts for roughly 500 million weekly downloads combined, according to Quist.

While the breadth of potential downstream compromise flowing from those downloads is substantial, many endpoints infected with those malware-riddled packages aren’t exposed to the internet and less susceptible to attack, he added.

“I don’t think there’s going to be a very extremely large number of victims,” Quist said. “There’s going to be a lot of people who potentially could be compromised and have potentially vulnerable packages in their environment, but that doesn’t necessarily mean they’re in an exploitable position.”

While these incidents have grabbed headlines, TeamPCP hasn’t accumulated payouts nearly as large as other cybercriminals. The broader reputational impact it has wrought, however, is massive.

TeamPCP has publicly claimed more than 10,000 victims and about $90,000 in extortions, according to Quist.

“They might not be making a lot of money, but they are causing a lot of impact,” Goody said. “Their campaigns have been very disruptive.”

How TeamPCP’s operating model targets development

TeamPCP’s victim list has grown as its hijacked open-source repositories on npm, PyPI, GitHub and other outsourced developer tools that are incorporated into upstream code running in production environments.

Developer laptops and other endpoints that are assigned to install, build and publish software widely contain keys and access to source code that create incredibly valuable supply-chain targets for attackers, Amitai Cohen, head of the attack vector intel team at Wiz, explained during a June presentation on TeamPCP at SleuthCon in Arlington, Va. 

The group targets CI runners, which are automated systems that build, test, and publish code. TeamPCP injects malware into the code repositories these runners maintain. When other developers pull that code into their own systems, they unknowingly download the malware alongside it. 

Some of these artifacts, including Python libraries, npm registries and GitHub Actions, are downloaded almost immediately by thousands or millions of developers who’ve set their runners up to consistently pull the latest version, according to Cohen. “We as a security industry have taught them that that is the right thing to do. You want to use the latest version because you want to be protected against vulnerabilities, and obviously you want to benefit from all the latest features.”

That instinct is exactly what TeamPCP exploits. By compromising one company’s CI/CD workflow, the group gains access to every downstream user who automatically pulls that infected code. “This is what allows [TeamPCP] to leverage initial access to some patient zero, some company that had a vulnerability in their CI/CD workflow, in order to gain access to their downstream users,” Cohen said. “That’s just how the software supply chain works. Everything has dependencies upon dependencies upon dependencies.”

Some of the packages compromised by TeamPCP were live for almost 13 hours, but security practitioners have responded by identifying code-injection attacks much quicker now, pulling some compromised repositories within 15 minutes, said Ben Read, director of strategic intelligence at Wiz.

The threat group’s operations remain high-tempo. TeamPCP infects new software packages almost daily, validates compromises and captures sensitive data within 24 hours, according to Wiz researchers.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits. Most recently, it’s been stealing credentials via custom protocols. 

The group’s ambitions have expanded beyond its own attacks. TeamPCP is also responsible for a self-replicating piece of malware known as Mini Shai-Hulud, which infected hundreds of software packages across open-source registries in back-to-back attack sprees last month. A TeamPCP affiliate published the full source code for the malware on GitHub last month and encouraged other cybercriminals to use it for their own campaigns.

“TeamPCP is going for volume. They are not being discriminating, they’re not necessarily trying to be stealthy or trying to maximize ROI. They’re going for an all-of-the-above strategy,” Read said during the Sleuthcon presentation.

Defensive gaps create openings for attack

TeamPCP’s attack spree has also underscored how difficult it is for organizations to revoke compromised secrets. Multiple victims have experienced recurring infections, sometimes falling prey to TeamPCP three times within a month, because they didn’t rotate secrets properly, Cohen said. 

At its core, these attacks highlight a direct trade-off organizations accept when they update software quickly to fix vulnerabilities, but learn that doing so too quickly could expose them to illegitimate registries containing malware.

TeamPCP has targeted what Aboukhadijeh describes as a “public good,” open-source registries that were never perfect but widely trusted and rarely turned into a point of entry for supply-chain attacks. 

Rapid open source software installation is one of the most dangerous things an organization can do right now, he said, adding that there’s a roughly 1 in 10 chance that any package installed by an organization could trigger an active attack. 

TeamPCP has compromised security scanners, password managers, automation tools, data visualization software, and CI/CD infrastructure across various environments.

And it’s lifted a trove of credentials and other sensitive data from victims.

Researchers like Cohen at Wiz, who have been tracking this attack spree since the beginning, are nearing a breaking point. 

“This is also too hard on us. We’re very tired. I’m sure a lot of people working on this problem space are very tired, and it’s just kind of become untenable,” Cohen said.

“You can’t keep existing in a world where you wake up every morning and some super prevalent package is compromised and everybody’s just going to be using it like nothing,” he added. “We need to start taking this a bit more seriously.”

The post How software development’s speed obsession enabled TeamPCP’s chaos crusade appeared first on CyberScoop.

By default, npm install will no longer execute scripts from dependencies, unless explicitly allowed.

The post NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks appeared first on SecurityWeek.

A researcher has disclosed the full details of the vulnerability and released a PoC without notifying Microsoft in advance.

The post VS Code Vulnerability Allows One-Click GitHub Token Theft appeared first on SecurityWeek.

Today, developers and security teams are caught in growing tension. AI is accelerating development and introducing new issues around insecure code, opaque models, data exposure, and compliance. Add the challenges of shadow AI and tool sprawl and the result is a widening gap between innovation and control. As developers move faster, security teams struggle to keep up with visibility, governance, and oversight. The resulting friction across the development lifecycle is forcing a tradeoff between speed and safety that doesn’t need to exist. Security needs to move upstream to become part of how developers actually work: built into their day-to-day tools and connected to the tools security teams use.

At Microsoft Build 2026, we are announcing new security tools and capabilities to give developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle so innovation can move fast and securely without the business losing control. Learn more about our solutions to help secure your code, secure your agents, and secure your models.

Secure your code

Today’s headlines reflect the tension around the power of AI models and the potential threat they pose when used to find and exploit vulnerabilities. It is forcing a shift as security teams look for solutions to help them safely harness the power of these models. At the same time, developers want to use these same models to efficiently identify real, exploitable risk and remediate it within their flow of work. That’s why we developed the Microsoft Security multi-model agentic scanning harness (codename MDASH) and added native integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite) to help both security and developer teams identify and close gaps early.

Discover and validate exploitable vulnerabilities with codename MDASH

The new Microsoft Security multi-model agentic scanning harness (codename MDASH) is available in an expanded preview for eligible organizations and now includes integration with Microsoft Defender. This new agentic security system orchestrates a pipeline of more than 100 specialized AI agents using an ensemble of models to discover, validate, and prove exploitability across codebases written in popular programming languages.

This approach is unique in the industry. Our multi-model agentic scanning harness uses a configurable panel of models, ranging from state-of-the-art (SOTA) models as the heavy reasoners, to more cost-effective models for high-volume operations. This allows us to trade speed, recall, and cost, and minimize dependency on any specific model.

The combination of multiple models, hundreds of agents, and over 100 trillion signals a day helps identify real risk over theoretical noise, to help teams focus on what can be exploited. The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale, and the durable advantage lies in the agentic system around the model rather than any single model itself. MDASH recently jumped roughly 10% in less than three weeks to a new CyberGym industry benchmark score of 96.55%.

“At Accenture, we’re always looking toward the next frontier in protecting our clients and our enterprise. What Microsoft is building with MDASH reflects a meaningful shift from reactive, rule-based scanning to agentic systems that can reason across complex codebases like a skilled security researcher,” says Kris Burkhardt, Chief Information Security Officer at Accenture. Accenture is one of a select group of Security partners and Microsoft Intelligent Security Association (MISA) members that are engaged in the preview to shape MDASH and accelerate agentic AI vulnerability discovery.

Our partner engagements reflect a shared focus on moving from reactive detection to proactive identification of exploitable risk. “We’re seeing cyber threats evolve rapidly, with AI accelerating both the scale and sophistication of attacks. Microsoft’s investment in MDASH reflects a strong commitment to helping organizations stay ahead of this curve. Based on our early discussions and exposure to the innovation, we see strong potential for MDASH to simplify and strengthen SecOps, helping organizations operate with greater resilience and confidence,” says Morgan Adamski, Principal and Deputy Platform Leader of Cyber, Data, and Tech Risk at PwC US.

Together, we are partnering across the industry to use leading models paired with our platforms and expertise to deliver protection at scale. “We’re excited to work with Microsoft on MDASH because it addresses one of the most pressing challenges our customers face: reducing the time between discovering a vulnerability and taking meaningful action. Microsoft’s role as a trusted security vendor matters here—customers need innovation, but they also need confidence, governance, and a partner they can rely on. Our early experience with MDASH has been encouraging, and we see real opportunity for it to help organizations modernize how they approach vulnerability discovery and remediation,” says Jason Rader, Insight CISO.  

Reach out to your Microsoft account representative for more information on the expanded preview of codename MDASH.

Prioritize and remediate code vulnerabilities with Microsoft Defender and GitHub Code Security

While codename MDASH identifies and validates what’s truly exploitable, the integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite), now generally available, brings runtime context into development and security workflows so that teams can prioritize and address risks early minimizing the impact to human resources. Vulnerabilities discovered in code are automatically enriched with real production signals, such as internet exposure and data sensitivity to inform prioritization. Developers can then remediate issues using AI-assisted fixes that are generated, assigned, and validated through GitHub Copilot Autofix and the GitHub Copilot cloud agent.

To support responsible, coordinated disclosure of findings that represent both real and potential vulnerabilities, role-based access controls ensure that only authorized individuals can view and act on them. Together, the production signal enrichment, AI-assisted remediation, and secure handling of findings within a single workflow help security and developer teams focus on real risk and enable teams to act quickly.

Secure your agents

Agents are quickly becoming a new layer of the application stack. As developers build agents and move them into production, they need the tools to ship fast without sacrificing security, including built-in identity, governance, and safety testing. Security teams have overlapping needs: visibility into what’s running, control over what agents can access, and consistent governance across clouds and endpoints. Microsoft is delivering new solutions to help.

Build secure agents from day one

At Build 2026, Microsoft is introducing new capabilities to help developers build secure, enterprise-ready agents by default. With the general availability of the Agent 365 SDK, developers can integrate controls directly into their development workflows, bringing observability, access controls, and compliance enforcement into how agents are designed and deployed. This enables teams to build custom agents for any AI platform that are compliant, and enterprise-ready, and compose well with Agent 365.

Security extends beyond development and into how agents run. On Windows, the Microsoft Execution Container (MXC) SDK provides OS-level control over agent execution, giving developers and IT teams the ability to define containment and policy, applied by the OS through isolation technologies such as process and session isolation. Windows 365 for Agents, now generally available, enables you to run any agent in a fully isolated, policy-governed Cloud PC. Native Windows integration with Agent 365 provides a common foundation for observability, security, and governance, including built-in Intune capabilities to set policies that govern agent runtime execution and control how agents operate.

These new capabilities are now in early preview.

Observe, govern, and secure agents at scale with Agent 365—now including local agents

As agents proliferate across environments, gaining visibility and control over them becomes critical. Agent 365 introduces new capabilities to manage agent sprawl and risk, including an Agent 365 Agent Registry that surfaces unmanaged local agents discovered by Microsoft Defender, Microsoft Entra, and Microsoft Intune—all working together. The registry supports more than 20 types of local agents, including coding agents, AI desktop applications, and both local and remote Model Context Protocol (MCP) servers. From there, Intune policies can be used to block common execution methods for OpenClaw agents.

Security teams also need the ability to defend against emerging threats without slowing developer productivity. Microsoft Defender, Entra, and Intune work together to provide the visibility, runtime protections, and context needed to manage agent risk without slowing developer productivity. Defender enables analysts to investigate agent activity using advanced hunting and provides an exposure graph that helps teams understand how agents are connected across the network. Preview of these capabilities coming soon.

Protecting data is foundational to securing agents at scale. Microsoft Purview controls to prevent data exfiltration, Data Security Posture Management risk discovery, and agentic risk detection for coding agents Claude Code, GitHub Copilot, OpenAI Codex, and OpenClaw. This enables visibility on how local agents access sensitive data, runtime protections for risky prompts, and insights into unsafe agent behaviors. Microsoft Purview Audit also logs all agent activity for full traceability. Preview of these capabilities coming soon.

Trust agents with your data

Developers also need direct, real-time insight into data security posture and risk signals associated with the agents they build. With Purview data risk signals embedded in the Foundry Control Plane, generally available, these signals provide guidance to developers on where to enforce protections before sensitive data is exposed. For example, Purview flags in real time when an agent surfaces sensitive financial data during testing and guides developers to mask or restrict access before deployment.

To further reduce risk, Purview introduces runtime data loss prevention (DLP) for agent prompts in Foundry, in preview with Agent 365. This capability detects, blocks, and audits sensitive data before it is processed by the agent, ensuring that sensitive information never reaches AI models.

Secure your models

Before AI reaches production, teams need to verify that the models they depend on are safe. Now developers can inspect model artifacts, whether platform-native or bring-your-own, with Defender AI model scanning, in preview. To help close gaps early model Defender AI model scanning detects and blocks potentially vulnerable or compromised models across registries, workspaces, and CI/CD pipelines to verify model integrity before deployment.

Trust starts with security

There should never be a choice between innovation and safety.

The capabilities announced today span the full development lifecycle: discovering what’s exploitable, governing what’s running, protecting the data AI depends on, and verifying that agents behave as intended before they reach production. Microsoft security is embedded directly into the platforms and workflows developers already use, supporting innovation across Microsoft Foundry, Copilot Studio, GitHub, and open-source frameworks, and bringing discovery and governance to shadow AI.

But real progress in AI depends on more than breakthrough capabilities—it depends on whether organizations can trust the systems they are building and deploying. That is the common thread across the innovations announced at Build 2026 and the principle guiding our approach. Because the future of AI will belong not just to those who move fastest, but to those who can innovate with trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. To learn more about how security is built into the Windows platform, explore the Windows Security book and Windows Server Security book.

The post Microsoft Build 2026: Securing code, agents, and models across the development lifecycle appeared first on Microsoft Security Blog.

Today, developers and security teams are caught in growing tension. AI is accelerating development and introducing new issues around insecure code, opaque models, data exposure, and compliance. Add the challenges of shadow AI and tool sprawl and the result is a widening gap between innovation and control. As developers move faster, security teams struggle to keep up with visibility, governance, and oversight. The resulting friction across the development lifecycle is forcing a tradeoff between speed and safety that doesn’t need to exist. Security needs to move upstream to become part of how developers actually work: built into their day-to-day tools and connected to the tools security teams use.

At Microsoft Build 2026, we are announcing new security tools and capabilities to give developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle so innovation can move fast and securely without the business losing control. Learn more about our solutions to help secure your code, secure your agents, and secure your models.

Secure your code

Today’s headlines reflect the tension around the power of AI models and the potential threat they pose when used to find and exploit vulnerabilities. It is forcing a shift as security teams look for solutions to help them safely harness the power of these models. At the same time, developers want to use these same models to efficiently identify real, exploitable risk and remediate it within their flow of work. That’s why we developed the Microsoft Security multi-model agentic scanning harness (codename MDASH) and added native integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite) to help both security and developer teams identify and close gaps early.

Discover and validate exploitable vulnerabilities with codename MDASH

The new Microsoft Security multi-model agentic scanning harness (codename MDASH) is available in an expanded preview for eligible organizations and now includes integration with Microsoft Defender. This new agentic security system orchestrates a pipeline of more than 100 specialized AI agents using an ensemble of models to discover, validate, and prove exploitability across codebases written in popular programming languages.

This approach is unique in the industry. Our multi-model agentic scanning harness uses a configurable panel of models, ranging from state-of-the-art (SOTA) models as the heavy reasoners, to more cost-effective models for high-volume operations. This allows us to trade speed, recall, and cost, and minimize dependency on any specific model.

The combination of multiple models, hundreds of agents, and over 100 trillion signals a day helps identify real risk over theoretical noise, to help teams focus on what can be exploited. The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale, and the durable advantage lies in the agentic system around the model rather than any single model itself. MDASH recently jumped roughly 10% in less than three weeks to a new CyberGym industry benchmark score of 96.55%.

“At Accenture, we’re always looking toward the next frontier in protecting our clients and our enterprise. What Microsoft is building with MDASH reflects a meaningful shift from reactive, rule-based scanning to agentic systems that can reason across complex codebases like a skilled security researcher,” says Kris Burkhardt, Chief Information Security Officer at Accenture. Accenture is one of a select group of Security partners and Microsoft Intelligent Security Association (MISA) members that are engaged in the preview to shape MDASH and accelerate agentic AI vulnerability discovery.

Our partner engagements reflect a shared focus on moving from reactive detection to proactive identification of exploitable risk. “We’re seeing cyber threats evolve rapidly, with AI accelerating both the scale and sophistication of attacks. Microsoft’s investment in MDASH reflects a strong commitment to helping organizations stay ahead of this curve. Based on our early discussions and exposure to the innovation, we see strong potential for MDASH to simplify and strengthen SecOps, helping organizations operate with greater resilience and confidence,” says Morgan Adamski, Principal and Deputy Platform Leader of Cyber, Data, and Tech Risk at PwC US.

Together, we are partnering across the industry to use leading models paired with our platforms and expertise to deliver protection at scale. “We’re excited to work with Microsoft on MDASH because it addresses one of the most pressing challenges our customers face: reducing the time between discovering a vulnerability and taking meaningful action. Microsoft’s role as a trusted security vendor matters here—customers need innovation, but they also need confidence, governance, and a partner they can rely on. Our early experience with MDASH has been encouraging, and we see real opportunity for it to help organizations modernize how they approach vulnerability discovery and remediation,” says Jason Rader, Insight CISO.  

Reach out to your Microsoft account representative for more information on the expanded preview of codename MDASH.

Prioritize and remediate code vulnerabilities with Microsoft Defender and GitHub Code Security

While codename MDASH identifies and validates what’s truly exploitable, the integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite), now generally available, brings runtime context into development and security workflows so that teams can prioritize and address risks early minimizing the impact to human resources. Vulnerabilities discovered in code are automatically enriched with real production signals, such as internet exposure and data sensitivity to inform prioritization. Developers can then remediate issues using AI-assisted fixes that are generated, assigned, and validated through GitHub Copilot Autofix and the GitHub Copilot cloud agent.

To support responsible, coordinated disclosure of findings that represent both real and potential vulnerabilities, role-based access controls ensure that only authorized individuals can view and act on them. Together, the production signal enrichment, AI-assisted remediation, and secure handling of findings within a single workflow help security and developer teams focus on real risk and enable teams to act quickly.

Secure your agents

Agents are quickly becoming a new layer of the application stack. As developers build agents and move them into production, they need the tools to ship fast without sacrificing security, including built-in identity, governance, and safety testing. Security teams have overlapping needs: visibility into what’s running, control over what agents can access, and consistent governance across clouds and endpoints. Microsoft is delivering new solutions to help.

Build secure agents from day one

At Build 2026, Microsoft is introducing new capabilities to help developers build secure, enterprise-ready agents by default. With the general availability of the Agent 365 SDK, developers can integrate controls directly into their development workflows, bringing observability, access controls, and compliance enforcement into how agents are designed and deployed. This enables teams to build custom agents for any AI platform that are compliant, and enterprise-ready, and compose well with Agent 365.

Security extends beyond development and into how agents run. On Windows, the Microsoft Execution Container (MXC) SDK provides OS-level control over agent execution, giving developers and IT teams the ability to define containment and policy, applied by the OS through isolation technologies such as process and session isolation. Windows 365 for Agents, now generally available, enables you to run any agent in a fully isolated, policy-governed Cloud PC. Native Windows integration with Agent 365 provides a common foundation for observability, security, and governance, including built-in Intune capabilities to set policies that govern agent runtime execution and control how agents operate.

These new capabilities are now in early preview.

Observe, govern, and secure agents at scale with Agent 365—now including local agents

As agents proliferate across environments, gaining visibility and control over them becomes critical. Agent 365 introduces new capabilities to manage agent sprawl and risk, including an Agent 365 Agent Registry that surfaces unmanaged local agents discovered by Microsoft Defender, Microsoft Entra, and Microsoft Intune—all working together. The registry supports more than 20 types of local agents, including coding agents, AI desktop applications, and both local and remote Model Context Protocol (MCP) servers. From there, Intune policies can be used to block common execution methods for OpenClaw agents.

Security teams also need the ability to defend against emerging threats without slowing developer productivity. Microsoft Defender, Entra, and Intune work together to provide the visibility, runtime protections, and context needed to manage agent risk without slowing developer productivity. Defender enables analysts to investigate agent activity using advanced hunting and provides an exposure graph that helps teams understand how agents are connected across the network. Preview of these capabilities coming soon.

Protecting data is foundational to securing agents at scale. Microsoft Purview controls to prevent data exfiltration, Data Security Posture Management risk discovery, and agentic risk detection for coding agents Claude Code, GitHub Copilot, OpenAI Codex, and OpenClaw. This enables visibility on how local agents access sensitive data, runtime protections for risky prompts, and insights into unsafe agent behaviors. Microsoft Purview Audit also logs all agent activity for full traceability. Preview of these capabilities coming soon.

Trust agents with your data

Developers also need direct, real-time insight into data security posture and risk signals associated with the agents they build. With Purview data risk signals embedded in the Foundry Control Plane, generally available, these signals provide guidance to developers on where to enforce protections before sensitive data is exposed. For example, Purview flags in real time when an agent surfaces sensitive financial data during testing and guides developers to mask or restrict access before deployment.

To further reduce risk, Purview introduces runtime data loss prevention (DLP) for agent prompts in Foundry, in preview with Agent 365. This capability detects, blocks, and audits sensitive data before it is processed by the agent, ensuring that sensitive information never reaches AI models.

Secure your models

Before AI reaches production, teams need to verify that the models they depend on are safe. Now developers can inspect model artifacts, whether platform-native or bring-your-own, with Defender AI model scanning, in preview. To help close gaps early model Defender AI model scanning detects and blocks potentially vulnerable or compromised models across registries, workspaces, and CI/CD pipelines to verify model integrity before deployment.

Trust starts with security

There should never be a choice between innovation and safety.

The capabilities announced today span the full development lifecycle: discovering what’s exploitable, governing what’s running, protecting the data AI depends on, and verifying that agents behave as intended before they reach production. Microsoft security is embedded directly into the platforms and workflows developers already use, supporting innovation across Microsoft Foundry, Copilot Studio, GitHub, and open-source frameworks, and bringing discovery and governance to shadow AI.

But real progress in AI depends on more than breakthrough capabilities—it depends on whether organizations can trust the systems they are building and deploying. That is the common thread across the innovations announced at Build 2026 and the principle guiding our approach. Because the future of AI will belong not just to those who move fastest, but to those who can innovate with trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. To learn more about how security is built into the Windows platform, explore the Windows Security book and Windows Server Security book.

The post Microsoft Build 2026: Securing code, agents, and models across the development lifecycle appeared first on Microsoft Security Blog.

ISSUE 23.21.1 • 2026-05-25 By Susan Bradley Microsoft is slowly but surely starting to roll out Secure Boot security fixes to more and more machines. I’m therefore lowering the MS-DEFCON level to 4. The May updates include not only the Secure Boot fixes but also a variety of other security-related patches. Start by installing KB5089549 […]

Fake automated commits injected GitHub Actions workflows containing payloads to steal credentials, CI secrets, keys, and tokens.

The post Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack appeared first on SecurityWeek.

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Private-CISA” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure. However, experts who reviewed the now-defunct Private-CISA archive said it was originally created in November 2025, and that it exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

In a written statement, CISA said “there is no indication that any sensitive data was compromised as a result of the incident.” But in a May 19 a letter (PDF) to CISA’s Acting Director Nick Andersen, Sen. Maggie Hassan (D-NH) said the credential leak raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.

“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Sen. Hassan wrote.

Sen. Hassan noted that the incident occurred against the backdrop of major disruptions internally at CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, echoed the senator’s concerns.

“We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote in a May 19 letter to the acting CISA chief that was co-signed by Rep. Delia Ramirez (D-Ill), the ranking member of the panel’s Subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private-CISA’ repository provided the information, access, and roadmap to do just that.”

KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.

On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.

“An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys,” Ayrey told KrebsOnSecurity. CI/CD stands for Continuous Integration and Continuous Delivery, and it refers to a set of practices used to automate the building, testing and deployment of software.

KrebsOnSecurity notified CISA about Ayrey’s findings on May 20. Ayrey said CISA appears to have invalidated the exposed RSA private key sometime after that notification. But he noted that CISA still hasn’t rotated leaked credentials tied to other critical security technologies that are deployed across the agency’s technology portfolio (KrebsOnSecurity is not naming those technologies publicly for the time being).

CISA responded with a brief written statement in response to questions about Ayrey’s findings, saying “CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems.”

Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do this easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2026, Ayrey said.

“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”

James Wilson, the enterprise technology editor for the Risky Business security podcast, said organizations using GitHub to manage code projects can set top-down policies that prevent employees from disabling GitHub’s protections against publishing secret keys and credentials. But Wilson’s co-host Adam Boileau said it’s not clear that any technology could stop employees from opening their own personal GitHub account and using it to store sensitive and proprietary information.

“Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”

Update, 3:05 p.m. ET: Added statement from CISA. Corrected a date in the story (Truffle Security said it found the repo gained some of its most sensitive secrets in late April 2026, not 2025).

GitHub said late Tuesday that internal repositories were exfiltrated after an employee device was compromised through a poisoned Visual Studio Code extension, an incident that underscores the growing risks facing software development platforms and the ecosystems built around third-party developer tools.

The Microsoft-owned company said in posts on X that it detected and contained the compromise, removed the malicious extension version, isolated the affected endpoint and began an incident response investigation. The company’s current assessment is that the activity involved GitHub-internal repositories only.

GitHub also said a claim from TeamPCP, a hacking group behind attacks targeting software development packages, that 3,800 repositories were impacted was “directionally consistent” with its investigation so far. It said critical secrets were rotated Tuesday, with the highest-impact credentials prioritized first. The company said it continued to analyze logs, validate secret rotation and monitor for follow-on activity.

The company has not publicly named the extension involved or attributed the activity to a particular group. TeamPCP reportedly advertised the material for sale on a cybercrime forum and threatened to release it if no buyer emerged. 

Information surfaced Wednesday that the incident may be related to a separate issue with Nx Console, a Visual Studio Code tool that helps engineering teams organize large codebases, coordinate build pipelines and run tests efficiently. According to a security advisory posted on GitHub, one of the Nx Console maintainers was compromised in a prior security incident that leaked their GitHub credentials. An attack then used those credentials to push a malicious version of the extension to the VS Code Marketplace. Those credentials have since been temporarily revoked.

With millions of installs, Nx Console is a fixture of professional JavaScript development. It is exactly the kind of tool that sits deep inside a developer’s working environment, which would have direct access to source code, credentials and build systems.

NX CEO Jeff Cross posted on X Wednesday that his company has been working with Microsoft to determine the full scope of the incident.

“Initially, Microsoft indicated to us that there were 28 installs of the malicious version 18.95.0. Based on our own analytics for the compromised version, we currently believe the number of users who received the malicious package may be significantly higher; potentially over 6k installs,” the post reads.

“This is my top priority right now,” Cross continued. “Our team has been, and continues to be focused on understanding exactly what happened, helping affected users, hardening our systems and release processes, and being as transparent as possible throughout the investigation.”

The episode also follows a series of supply chain attacks involving npm, PyPI, Docker and other developer ecosystems. In those incidents, attackers have often targeted maintainers, packages or credentials rather than attacking end users directly. The multiple attacks show how fragile development environments have become as threat actors increasingly target them. A single compromised developer account, package, extension or build process can create access to many downstream systems.

GitHub has said it has no evidence that customer data stored outside the affected repositories was affected.

Visual Studio Code extensions are widely used by developers to add functions to Microsoft’s code editor, including support for programming languages, testing tools, cloud services and artificial intelligence assistants. Because these extensions often operate inside development environments, a malicious or compromised extension can be positioned close to source code, credentials and build systems.

“The thing people underestimate about VS Code extensions is that they have full access to everything on the developer’s machine,” Charlie Eriksen, a security researcher at Aikido Security, told CyberScoop. “EDR doesn’t cover this layer at all. What’s missing for most organisations is any kind of visibility into what’s actually running on developer machines and the ability to control it.”

Trojanized extensions have appeared in the VS Code Marketplace before. Security researchers have identified malicious extensions posing as legitimate development tools, including packages used to steal credentials, mine cryptocurrency or exfiltrate data. Some have accumulated large installation counts before removal, reflecting the difficulty of policing open plugin ecosystems at scale.

For GitHub, the breach comes amid broader scrutiny of the security of developer infrastructure. The platform sits at the center of software production for companies, governments, open-source maintainers and independent developers. Its internal systems and code are of obvious interest to attackers because GitHub’s services support code hosting, package distribution, automation and identity workflows across much of the software industry.

GitHub said it would publish a fuller report when the investigation is complete.

Update: May 20, 12:55 p.m.: This story has been updated with information about a related security incident with Nx Console.

The post GitHub says internal repositories were impacted in poisoned VS Code extension attack appeared first on CyberScoop.

The TeamPCP hacking group accessed the repositories after a GitHub employee installed a poisoned VS Code extension.

The post GitHub Confirms Hack Impacting 3,800 Internal Repositories appeared first on SecurityWeek.

Congress wants answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen.

Other security professionals also voiced concern Tuesday about the leak and the potential for abuse by any malicious parties who got a hold of the information.

Security firm GitGuardian said it discovered a public GitHub repository last week that exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November. The repository, apparently maintained by a contractor, was named “Private-CISA.” 

Krebs on Security first reported the incident.

“My main fear … is that a state actor will get the data and might be able to do bad stuff,” GitGuardian security researcher Guillaume Valadon told CyberScoop that he thought to himself upon discovering the leak, after concluding it was real; he initially thought it looked fake.

State-based attackers who obtained the credentials “might be able to gain persistence,” Valadon said, “so for me it’s even worse than an attacker destroying everything, having someone in a governmental system — it’s really, really bad.”

A House Homeland Security Committee aide said the panel is seeking a staff-level briefing from CISA on the matter.

Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and Delia Ramirez, the top Democrat on the panel’s cyber subcommittee, had separately demanded a briefing Tuesday in a letter to CISA’s acting director, Nick Andersen. 

They said they wanted to learn “how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future.”

Sen. Maggie Hassan, D-N.H., also sent a letter Tuesday to Andersen, seeking a classified briefing to answer questions about which systems were exposed, what forensic work CISA did to evaluate potential damage and what corrective action it has taken.

“This reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches,” Hassan wrote in the missive first reported by Axios, particularly “regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure.”

Both letters pointed to personnel and budget cutbacks at the agency as a potential contributor to the incident.

CISA said it was looking into what happened.

“The Cybersecurity and Infrastructure Security Agency is aware of the reported exposure and is continuing to investigate the situation,” a spokesperson said. “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” 

The repository was reportedly maintained by a contractor at Nightwing. A Nightwing spokesperson referred questions to CISA.

The kind of exposure that happened for CISA “is an unfortunately painful, but common and repeated, if not relentless, way that we see organizations inadvertently leak very sensitive credentials to the wider web,” said Ben Harris, founder of WatchTowr, a company that helps organizations detect such exposures.

Harris told CyberScoop he didn’t want to speculate on what attackers who obtained the credentials might be able to do with it, but he said that it would be “terrifying” if the contractor was transferring information from work to home, as one researcher theorized.

Dave Mitchell, senior director of threat intelligence at Infoblox, told CyberScoop the incident showed the importance of teams having controls and audits in place across their repositories.

“Of all the things that keep me up at night, misconfigurations in GitHub are a recurring nightmare. It’s critical for so many organizations — all it takes is one accidental upload or misconfiguration and you’ve signed yourself up for a major incident,” he said in a written statement. “No need for a threat actor to use advanced techniques to compromise you if the keys are already sitting on the counter.”

Travis Rosiek, public sector chief technology officer at Rubrik, noted that the timing of the issue aligned with the government shutdown that only recently resolved for DHS. He said the incident showed the federal government needs to prioritize resilience.

“A persistent shortage of cybersecurity talent, combined with funding lapses, high workforce turnover, and an increasingly complex threat landscape, created the perfect storm for this scenario,” he said in a written statement to CyberScoop. “No organization is immune, and we must ensure that the federal government, which is responsible for helping protect the nation’s critical infrastructure and enhancing our cybersecurity posture, remains fully operational 24-7, 365 days a year.”

Without minimizing the severity of the incident, some researchers who have looked at the leak said there are mitigating circumstances that make elements of it defensible or, at least, understandable.

CISA acted very swiftly to remove the repository, Valadon said, once he alerted them to the leak.

And even if CISA has the right policies in place, human error still can make it difficult to entirely avoid incidents like this, Harris said.

“The reality is this happens every single day to different organizations, including cybersecurity companies,” he said, noting it would be different if it was a pattern. “This is not exclusive to CISA. I don’t really think it reflects well if we saw this every single day with CISA. … It’s not ideal that it’s even happened once, but the reality is that cybersecurity is people, process, technology.”

CISA has had other security incidents in the past, including recently. The former acting director of the agency endured criticism for uploading sensitive contract data to ChatGPT last year. In 2024 the agency notified Congress of a breach of a chemical plant security tool.

Updated 5/20/26: to include more information on a House Homeland Security Committee briefing request.

The post CISA credential leak raises alarms, and Capitol Hill demands answers appeared first on CyberScoop.

A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, this time embedding itself across hundreds of npm packages. The threat actor behind it, identified as TeamPCP, has been linked to earlier waves of the same campaign, with this latest variant more capable than previous waves.

Researchers analyzing the payload found a worm that spreads autonomously, installs persistent backdoors at the operating system level, and is specifically engineered to survive the most common first response: removing the package.

How the attack works

The malware executes the moment an affected software package is installed, whether in a developer’s local environment or inside a CI/CD pipeline. A hook fires before any other step, giving the payload immediate access to the machine.

It harvests GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings. In automated build environments, it uses the pipeline’s own trusted identity to obtain publishing credentials, allowing it to push poisoned package versions to the registry under a legitimate maintainer’s name. The stolen data is sent to attacker-controlled GitHub repositories.

After it steals a publishing token, the malware checks every package that token can access, adds its code to those packages, and publishes new poisoned versions using the maintainer’s account. One infected CI runner — the machine or virtual server that automatically builds, tests and publishes code for a project — can therefore taint every package that runner is allowed to publish. It also searches a developer’s computer for other Node.js projects and copies itself into them, so a single infected install can compromise an entire workstation.

“If any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed,” Aikido Security researchers wrote in a blog post. 

Removing the package is not enough

Researchers found that a standard dependency rollback leaves the attacker’s access intact. The malware embeds backdoors in developer tool settings — notably .vscode/tasks.json and .claude/settings.json — which remain on disk even after the npm package is removed. Those files must be audited and cleaned to eliminate the attacker’s foothold.

The payload also installs OS-level background services: a systemd user service on Linux, a LaunchAgent on macOS. Both run a backdoor called kitty-monitor, which polls GitHub’s commit search every hour for signed remote commands. A second process, gh-token-monitor, checks stolen GitHub tokens every 60 seconds — alerting the attacker the moment one is revoked. An attacker can maintain access and monitor the victim’s response in near real time, long after the original infection has been discovered.

Multiple security companies have pointed out which popular dependencies are being targeted. In this wave, it’s been popular data visualization software, including Alibaba’s open-source AntV and TallyUI. The campaign also touched widely used utilities such as echarts-for-react (a React wrapper for ECharts) and timeago.js (a small JavaScript library that allows developers to format timestamps).

“Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions,” wrote researchers from Socket, an application security company.

The campaign remains active. Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Researchers have warned that any machine or pipeline that installed an affected version should be treated as fully compromised.

Last week, TeamPCP targeted other prominent software libraries with the malware, including TanStack, UiPath, and MistralAI.

The post Mini Shai-Hulud returns, compromising hundreds of npm packages appeared first on CyberScoop.

As defenders get their hands on newer AI models with more powerful cybersecurity capabilities like Anthropic’s Mythos and OpenAI’s Daybreak, organizations are being told to prepare for a flood of new vulnerability reports.

But for bug bounty programs across the nation, that day may already be here, as yesterday’s frontier models and today’s open-source AI tools have dramatically increased the volume of bug reports flowing into companies around their own products or on larger bounty platforms online.

GitHub, one of the world’s largest online code repositories, said it is tightening its definition of a “complete” bug report after a significant increase in AI-assisted submissions over the past year.

Although the influx has had some benefits, many reports are submitted without proof of concept, are reliant on unrealistic attack scenarios or cover issues already listed as ineligible. As a result, the company is having difficulty separating signal from noise.

“This isn’t unique to GitHub,” wrote Jarom Brown, senior product security engineer at GitHub. “Programs across the industry are grappling with the same challenge, and some have shut down entirely.”

Brown said GitHub does not want to ban the use of AI generated reports entirely, calling it a “force multiplier” for security in the right context. But in a world where it’s never been easier to use AI to generate theoretical bugs, the company wants researchers to go the extra mile to confirm that their discoveries can actually be exploited in real-world conditions.

What we need is the same standard we’ve always expected: validation,” Brown wrote. “An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not.”

Grant Bourzikas, chief security officer at Cloudflare, said triaging bugs and proving they can be exploited  has always been one of the hardest parts of vulnerability research, and AI vulnerability scanners and code have “made it worse.”

For instance, code written in C and C++ programming languages are vulnerable to a range of exploits – like buffer overflows and out-of-bounds reading and writing – that don’t exist in memory safe languages like Rust. AI tools scanning software written in memory unsafe programming languages are far more likely to generate false positives.

But one of the biggest flaws continues to be that AI tools are also designed to give the user what they’re asking for, even when it’s not there. This leads to the generation of bug reports filled with speculation and qualifiers around exploitability that require human follow up.

“That’s a reasonable bias for an exploratory tool,” Bourzikas wrote. “It’s a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.”

Cloudflare recently shared results from testing Mythos on 50 of its own code repositories, looking for exploits. Bourzikas called Mythos “a different kind of tool doing a different kind of work” from other frontier models, and that it made significant progress in reducing false positives.

For example, he pointed to two Mythos capabilities that stood out compared to other models: chaining exploits together and generating its own proof-of-concept code to confirm exploitability.

Older models could spot many of the same bugs, but they often couldn’t figure out how to exploit them effectively, or show that the issue could be exploited in real world conditions.

Others have argued that the gap in bug hunting capabilities between newer frontier AI models and older ones, or open source models available today is not as large as advertised. 

Swedish software developer Daniel Stenberg, lead developer for curl, an open source file transfer tool used around the world, recently wrote about his experience with Mythos Preview. Like others, he has also seen a higher volume of AI-fueled bug reports over the past year, but said the flood of low-quality reports has tapered off significantly since March as models have improved.

Curl is mature and polished by the standards of most software: Stenberg estimates each line of code has been rewritten or altered at least four times, and he said he has used both human and AI tools in the past to implement hundreds of bug fixes over Curl’s existence.

That makes it a unique testing ground for the enhanced capabilities of Mythos, which was reportedly so powerful at finding vulnerabilities that Anthropic opted not to release it to the general public.

After gaining access to Mythos, Stenberg received the results of a scan of 178,000 lines of curl code. Ultimately, the scan flagged five “confirmed” vulnerabilities. Further exploration by human researchers found that 4 of the bugs were false positives or had no security impact. The one remaining bug Mythos found? A low-severity flaw that will be fixed in a regular June update.

Even as he praised the impact of AI on cybersecurity generally, Stenberg concluded that for all the hype, Mythos is only “a bit better” than previously released models.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

The post AI might cut false positives, but it won’t stop the slop  appeared first on CyberScoop.

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.

“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

The remote code execution flaw CVE-2026-3854 was found to impact GitHub.com and GitHub Enterprise Server.

The post Critical GitHub Vulnerability Exposed Millions of Repositories appeared first on SecurityWeek.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.

The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.

The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”

“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.

Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).

Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.

Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.

Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.

The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.

Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.

By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.

Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.

Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”

“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”

With any luck, Dort will soon be able to tell us all exactly what it’s like.

Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.

“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”

When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.

“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”

But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.

Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.

“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”

Further reading:

Jan. 8, 2026: Who Benefited from the Aisuru and Kimwolf Botnets?

Jan. 20, 2026: Kimwolf Botnet Lurking in Corporate, Govt. Networks

Jan. 26, 2026: Who Operates the Badbox 2.0 Botnet?

Feb. 11, 2026: Kimwolf Botnet Swamps Anonymity Network I2P

Mar. 19, 2026: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.

The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”

“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”

At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.

The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.

In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.

“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.

The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.

In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.

“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”

A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.

StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.

“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.

Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.

“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”

For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.

Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”

TJ Nicholls // *BHIS Guest Contributor TL;DR How many times have you had to parse the same output from a tool? Wouldn’t you like to get that time back? There […]

The post PyFunnels: Data Normalization for InfoSec Workflows appeared first on Black Hills Information Security, Inc..