Stolen developer credentials published in public GitHub repositories
Data Leak
Summary
Hide ▲
Show ▼
Nx "s1ngularity" data leak expanded across three phases after the August 26, 2025 supply chain compromise, with stolen GitHub tokens used to make private repositories public and publish copied secrets. Wiz said the incident exposed 2,180 accounts and 7,200 repositories, and that many leaked secrets may still be valid. The leak also spread through public repository names tied to s1ngularity-repository variants, increasing the risk of follow-on account abuse.
Related Happenings
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Timeline
-
16.09.2025 17:08 3 articles · 8mo ago
Stolen developer credentials published in public GitHub repositories
Initial DisclosureThe exposure began when compromised package code created a new public repository in the victim’s **GitHub** account and copied stolen secrets into it. That made the leaked data immediately visible and downloadable.
Show sources
- Self-Replicating Worm Hits 180+ Software Packages — krebsonsecurity.com — 16.09.2025 17:08
- Self-Replicating Worm Hits 180+ Software Packages — krebsonsecurity.com — 16.09.2025 17:08
- Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials — thehackernews.com — 28.08.2025 13:36
-
06.09.2025 17:11 1 articles · 8mo ago
Nx s1ngularity attackers publish 500 private repositories from victim organization
Victim Impact UpdateOn August 31, 2025, the s1ngularity campaign used two compromised accounts to target a single victim organization and publish an additional 500 private repositories, extending the GitHub data leak tied to the Nx compromise.
Show sources
- AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack — www.bleepingcomputer.com — 06.09.2025 17:11