Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

S1ngularity second attack wave using compromised GitHub tokens

Campaign
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

A second s1ngularity attack wave used compromised GitHub tokens to make private repositories public, widening exposure across 190+ users/organisations and 3,000+ repositories. The wave adds a new operational phase to the earlier package compromise by turning stolen repository access into broader public exposure. It also increased the chance that leaked data and secrets would be preserved and reused by copying affected repositories.

Related Happenings

Prt-scan GitHub Actions secret-theft campaign

Campaign
First: 22.04.2026 20:33 Last: 22.04.2026 20:33 Sources 1

About this happening: The **prt-scan** campaign has been systematically abusing **pull_request_target** GitHub Actions workflows to steal developer secrets and, when possible, publish **malicious packa...

Open Happening

TeamPCP supply-chain credential-exploitation campaign

Campaign
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...

Latest development: 12.05.2026 01:03

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

Open Happening

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
First: 23.03.2026 10:31 Last: 23.03.2026 10:31 Sources 1

About this happening: Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

SANDWORM_MODE supply-chain worm targeting AI assistant configs

Malware Activity
First: 23.02.2026 18:00 Last: 23.02.2026 18:00 Sources 1

About this happening: The **SANDWORM_MODE** worm is spreading through **malicious npm packages**, stealing **developer and CI credentials** and injecting rogue **MCP servers** into AI assistant configu...

Open Happening

Timeline

  1. 28.08.2025 13:36 2 articles · 9mo ago

    Compromised GitHub tokens expose private repositories in the second s1ngularity wave

    Campaign Scope Update

    Wiz identified a second s1ngularity attack wave in which an attacker used compromised GitHub tokens to turn private repositories public, rename them to the pattern s1ngularity-repository-#5letters#, and create forks to preserve the data. Wiz said the wave impacted over 190 users/organisations and more than 3000 repositories.

    Show sources
    Open in new tab