Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Shai-Hulud secrets leak on GitHub

Data Leak
First reported
Last updated
Happening score
H score 26
2 unique sources, 3 articles

Summary

Hide ▲

The Shai-Hulud supply-chain malware leak exposed developer and CI/CD secrets on GitHub, creating immediate reuse risk for credentials taken from compromised development workflows. The second attack last week infected hundreds of NPM packages, published stolen data in 30,000 GitHub repositories, and exposed around 400,000 raw secrets. Wiz said more than 60% of leaked NPM tokens were still valid as of December 1st, and the malware also included a home-directory wipe under certain conditions.

Related Happenings

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

GitHub internal repositories private-code leak claim

Data Leak
First: 20.05.2026 08:08 Last: 20.05.2026 08:08 Sources 1

About this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...

Latest development: 21.05.2026 17:45

A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.

Open Happening

Timeline

  1. 24.11.2025 16:32 3 articles · 6mo ago

    Shai-Hulud npm campaign leaks secrets on GitHub

    Initial Disclosure

    Shai-Hulud planted trojanized npm packages impersonating Zapier, ENS Domains, PostHog, and Postman to steal developer and CI/CD secrets, then published the stolen data on GitHub in encoded form through attacker-controlled repositories. Researchers linked the operation to compromised maintainer accounts, about 350 unique maintainer accounts, and malicious payloads that run during the pre-install stage, including setup_bun.js and bun_environment.js.

    Show sources
    Open in new tab