7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
The biggest supply chain attack in npm history just happened. 160+ packages compromised. If you had auto-updates on, you swallowed the poison automatically. Here's what to do instead.
Mass automated validation of stolen GitHub PATs from bulletproof hosting. They're testing which tokens are live, what scopes they have, and triaging the valuable ones. Revoke your old tokens today.
A poisoned VS Code extension breached GitHub's internal repos. 3,800 repositories. 18 minutes. If you install extensions without thinking, you need to read this.
An attacker registered a co-maintainer's expired email domain, reset the npm password, and published a credential stealer that exfiltrates over DNS. No hack required. Just a $12 domain registration.
The Checkmarx Jenkins plugin, installed to find vulnerabilities in your code, was itself compromised with an infostealer. CVE-2026-33634. CVSS 9.4. Every secret in your CI/CD pipeline was exfiltrated.