Supply-chain: dev-tool compromises
Key Questions
What supply-chain attacks targeted GitHub recently?
TeamPCP compromised GitHub, stealing over 3,800 internal repositories via a poisoned VS Code extension. The breach was confirmed by the company.
Which npm packages were affected by Shai-Hulud?
Shai-Hulud compromised around 600 npm packages as part of a self-propagating supply-chain worm. It targeted CI/CD pipelines across multiple ecosystems.
What is the Megalodon supply-chain compromise?
Megalodon impacted over 3,500 repositories through poisoned developer tools. It is part of a broader wave of dev-tool attacks.
Which new tools had trojanized installers?
Bitwarden CLI and DAEMON Tools had their installers trojanized in recent campaigns. These incidents expand the reach of supply-chain threats.
How was the TanStack npm attack linked to other breaches?
Grafana Labs connected its GitHub environment breach to the TanStack npm supply-chain attack. The compromise originated from the malicious package.
What RCE vulnerability was found in Turborepo?
CVE-2026-45772 allows remote code execution in Turborepo. It underscores risks in popular development tooling.
How did the GitHub VS Code extension breach occur?
An employee installed a malicious VS Code extension that granted attackers access to internal repositories. Roughly 3,800 repos were exposed.
Are other ecosystems like RubyGems affected?
Mini Shai-Hulud variants abused pipelines across npm, PyPI, and RubyGems. The worm-style attacks spread through compromised packages.
TeamPCP hits GitHub (3800+ repos), Shai-Hulud (600 npm), Megalodon (3500+). New: Bitwarden CLI and DAEMON Tools trojanized installers.