A single compromised account pushed malicious code to 42 repos across Microsoft and Azure GitHub orgs in under an hour. If you trust code because of who published it, that trust is now a liability.
7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
29 packages under the @redhat-cloud-services namespace were compromised with a self-propagating credential stealer. 80,000 weekly downloads. If Red Hat's packages aren't safe, neither are yours.
The biggest supply chain attack in npm history just happened. 160+ packages compromised. If you had auto-updates on, you swallowed the poison automatically. Here's what to do instead.
Mass automated validation of stolen GitHub PATs from bulletproof hosting. They're testing which tokens are live, what scopes they have, and triaging the valuable ones. Revoke your old tokens today.
A poisoned VS Code extension breached GitHub's internal repos. 3,800 repositories. 18 minutes. If you install extensions without thinking, you need to read this.
An attacker registered a co-maintainer's expired email domain, reset the npm password, and published a credential stealer that exfiltrates over DNS. No hack required. Just a $12 domain registration.
The Checkmarx Jenkins plugin, installed to find vulnerabilities in your code, was itself compromised with an infostealer. CVE-2026-33634. CVSS 9.4. Every secret in your CI/CD pipeline was exfiltrated.