惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
L
Lohrmann on Cybersecurity
Security Latest
Security Latest
T
Threatpost
H
Heimdal Security Blog
W
WeLiveSecurity
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
IT之家
IT之家
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
TaoSecurity Blog
TaoSecurity Blog
A
About on SuperTechFans
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Last Week in AI
Last Week in AI
T
The Blog of Author Tim Ferriss
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
量子位
Stack Overflow Blog
Stack Overflow Blog
Know Your Adversary
Know Your Adversary
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
WordPress大学
WordPress大学
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security

The Record from Recorded Future News

Taiwan charges two businessmen over alleged role in Chinese espionage campaign Former UK privacy chief preparing legal action against woman who reported him, minister says Spain arrests alleged supporter of pro-Russian hacktivist groups after FBI tip EU unveils cyber plan to reduce reliance on foreign AI systems Supreme Court allows Texas app law requiring age verification to take effect Britain plans to build autonomous AI 'Cyber Shield' to defend nation Major Japanese telco says cyberattack exposed 12 million emails UK cyber pledge draws only a handful of top firms despite ministerial appeal Canadian spy agency reports hacking three criminal groups in 2025 Attackers vote themselves $20 million in BONK cryptocurrency Major medical device manufacturer notifies nearly 4 million of breach Japanese teen arrested over cyberattack that disrupted anime streaming service Ukrainian media outlets now among 'priority targets' for Russian hackers Spyware found on phone of European Parliament member probing it Launch of UK's National Cyber Action Plan delayed amid Labour leadership crisis Supreme Court decision threatens EU-US data transfer agreement Teen suspect in Scattered Spider hacks is extradited to US US lifts export controls on Anthropic’s frontier cybersecurity AI models Japanese insurer, brewer, manufacturer and telecom disclose cyber breaches CIA chief highlights major shifts in agency’s tech approach House passes kids’ online safety bill, but Senate approval unlikely An intelligence budget 'super user' job is now in the hands of Russ Vought Justices rule that cellphone location histories are protected by the Fourth Amendment US racks up about 400 wins over illegal World Cup streaming sites US posts $10 million reward over Russian cyber campaign targeting Signal, WhatsApp Ukraine to use seized crypto from cybercrime group to buy war bonds Russia accuses Apple of ‘political censorship’ after VK apps removed from App Store Turla group adds more malware to Russia’s espionage efforts against Ukraine Russia used social engineering to breach prominent messaging accounts, Ukraine says FCC votes to toughen rules in bid to better protect undersea cables DHS chief says president has met with potential CISA nominee; agency plans to hire 600 Another Russian dairy company reportedly disrupted by cyberattack Ukraine's state postal operator reports app disruption after cyberattack Russia used Cellebrite phone-hacking tool to crack down on dissident after firm cut off country Three ‘cybercrime as a service’ operations undercut by Microsoft, law enforcement German rail services resume after wireless communications outage Indian auto giant Bajaj Auto hit by ransomware incident Five Eyes agencies sound alarm about AI’s threat to cybersecurity Feds seize alleged cyber-scam infrastructure connected to Southeast Asian company Trump directs federal agencies to protect US data from quantum threats Compromise kids online safety bill unveiled by House leaders, with key omission Two Scattered Spider members plead guilty over cyberattack that crippled London transit Tata Electronics confirms cyberattack after alleged Apple, Tesla documents appear online Suspected cyberattack triggers false emergency alerts across parts of Brazil Police raid malware network tied to Russia's Evil Corp hacker group UK's information commissioner resigns over ‘inappropriate humour’ Bulgaria allowed surveillance tech firm to sell products to repressive regimes, report says Australian sugar producer works to restore operations as ransomware group claims attack Hostile states behind three-quarters of attacks on Britain's critical infrastructure, cyber chief warns EU grants Ukraine access to cybersecurity reserve for major attacks Warner warns of CISA cuts, staffing gaps in letter to acting chief India's Telegram ban draws criticism from Durov as company challenges order in court India temporarily blocks Telegram over medical exam cheating fears UK to ban social media access for children under 16 Estonia to quarantine emails sent from Russian .ru domain /maine-turns-off-breach-portal-fake-reports Cyberattack on Russian tech firm Astral disrupts business, government services for week Finland brings charges against cargo ship officers for cutting submarine cables Anthropic says US government forced it to disable cybersecurity AI models Belarus-linked hackers target Gmail accounts of Polish public figures and their families Bankruptcy admin approves settlement fund of $47 million for 23andMe data breach victims Major US surveillance program poised to lapse after legislative deadlock South Korea hits Coupang with record $409 million fine over data breach Cyber Force not included in Senate defense policy roadmap British high school sends students home following cyberattack Hacker linked to Void Blizzard faces charges over cyberespionage campaign University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft CISA to require federal agencies to patch some cyber vulnerabilities within 3 days Cyberattack shuts down major Australian sugar mills, disrupting harvest Microsoft ships largest Patch Tuesday on record, with one bug under active attack UK weakens proposed telecoms defenses against Chinese hackers after industry pushback CISA to transform how it assesses cyber vulnerabilities and risks, Andersen says Hackers pose as women seeking romance to spy on Russian soldiers UK gives big tech 3 months to create device controls to block nude images of kids EU unveils tech sovereignty package to cut reliance on US, Chinese suppliers Apple removes Russia’s state-backed messaging app Max from its store Trump considers Palantir exec to lead CISA FTC considers setting aside or modifying $150 million privacy penalty against X Russia seeks to label two anti-Kremlin hacker groups as ‘extremist’ Supreme Court rules FCC fines punishing telecom giants for sharing location data were legal UN food agency investigates breach exposing data of Gaza aid recipients Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process Five Eyes warn Chinese spies are using job sites to recruit insiders CISA directive for AI executive order to be released this week, Andersen says DHS chief signals efforts to reshape CISA New cyber force would cost up to $11 billion to start, commission says White House unveils pared-back AI executive order Russia claims foreign spy agencies hacked officials' phones Red Hat removes tainted packages after software pipeline compromise Spain arrests suspected hacker for publishing personal data of police, prosecutors and cyber officials Microsoft says it will not pursue security researchers after zero-day backlash Inspector general finds NIST mistakes have made vulnerability database ineffective NSA selects new leads for key cybersecurity posts Afghan finance officials targeted by suspected Pakistani cyberespionage campaign Unknown hacker group targeted Russian maritime universities, diplomats for nearly two years Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more Cruise giant Carnival confirms data breach affecting nearly 6 million people Canadian man gets 33 years for using social media to coerce US children into sending sexual content Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns
GitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say
Alexander Martin · 2026-06-17 · via The Record from Recorded Future News

GitHub rejected two formal vulnerability reports identifying design flaws that researchers say are enabling variants of the Shai-Hulud supply-chain worm to infect and compromise hundreds of software packages and developer accounts worldwide.

The reports, submitted by threat intelligence group Deep Specter Research through GitHub’s bug disclosure channel on HackerOne, were both closed as ineligible and not presenting a security risk, despite the ongoing threat posed by the worm.

Although the hacking tool originated with the TeamPCP cybercrime group, copycat entities have emerged using slightly different versions since the original code was published in early May. Over the last few months, these variants have been linked to breaches at the European Commission, AI recruiting firm Mercor, the LiteLLM packageGitHub itself and Red Hat.

Deep Specter told Recorded Future News that its investigation, conducted using only public data, confirmed 516 malicious packages were currently live across five ecosystems including npm, PyPI and RubyGems, with more than 3,000 affected GitHub repositories and over 200 compromised developer accounts.

The figures were described as a floor by Deep Specter, which noted in a technical report that GitHub's code search does not index files above a certain size threshold, rendering the worm's primary payload — a roughly 4.6 MB obfuscated file — invisible to automated scanning.

The company said its first report to GitHub concerned how GitHub handles commit timestamps, allowing whoever pushes the code the freedom to backdate when they added it to a repository. Deep Specter said the worm uses this feature to make recently added malicious changes appear like routine edits from years earlier, evading defenses that look in a repository's history for recent suspicious activity.

GitHub told the researchers that commit timestamps are client-supplied metadata by design and that the underlying security issue was the compromised credentials used to push the code, not the timestamp.

Deep Specter’s second report concerned who was identified as the author of these commits. GitHub displays the name, photo and username of the authors as if they were confirmed, but in practice the fields are freely set by the attacker and never verified. The worm uses this to make malicious commits appear to have been made by trusted engineers who never touched the code.

GitHub told researchers that arbitrary author metadata is a property of the git version control system, not a GitHub vulnerability, and that its bug bounty program documentation explicitly lists commit author impersonation as a known ineligible finding.

The company pointed Deep Specter to GPG and SSH commit signing and its opt-in Vigilant Mode as available mitigations. The developers whose identities were forged in the Shai-Hulud campaign had not enabled those controls.

GitHub does record which account actually pushed each commit — data that cannot be forged — in its Events API, but does not display it on the commit page visible to reviewers. That record expires from public view after approximately 90 days. Deep Specter raised the security value of improving the visibility of these records, but GitHub described that as a feature request rather than a security fix.

As of June 16, Deep Specter said 1,729 throwaway repositories created by the worm to store stolen credentials remained live on GitHub, alongside 151 repositories still serving active malicious payloads — figures the company described as a snapshot of public data on that date.

Last week, Microsoft released fixes for more than 200 security flaws — the largest Patch Tuesday in the program’s history — in the latest sign of how artificial intelligence is reshaping the world of vulnerability discovery and mitigation.

It comes as Microsoft faces renewed criticism over its disclosure policies, with the company recently forced to clarify it had “no intention to pursue action” against security researchers after sparking outcry from the security community. 

Researchers have repeatedly complained that the company has unjustly dismissed their vulnerability reports and, under the Biden administration, was described as presiding over a cascade of security failures allowing hackers to break into government systems.

Another researcher recently published a separate GitHub token-stealing exploit targeting Microsoft repositories in the same period, underscoring the breadth of credential-theft activity targeting the platform. The researcher made the exploit public due to their dissatisfaction with how Microsoft handled security reports.

Neither GitHub nor its parent company Microsoft responded to requests for comment.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Recorded Future

No previous article

No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79