惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
L
LangChain Blog
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
F
Full Disclosure
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Register - Security
The Register - Security
G
Google Developers Blog
C
Check Point Blog
GbyAI
GbyAI
A
About on SuperTechFans
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
T
Tor Project blog
AWS News Blog
AWS News Blog
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
MongoDB | Blog
MongoDB | Blog
Latest news
Latest news
aimingoo的专栏
aimingoo的专栏
U
Unit 42
Y
Y Combinator Blog
P
Privacy International News Feed
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
S
Schneier on Security
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
C
Cisco Blogs
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
Cloudbric
Cloudbric
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Security Blog
Microsoft Security Blog

VentureBeat

Anthropic says it hit a $30 billion revenue run rate after 'crazy' 80x growth OpenAI voice models get GPT-5-class reasoning AI agent identity: how to govern agentic AI in 6 stages Anthropic wants to own your agent's memory, evals, and orchestration — and that should make enterprises nervous Enterprise GPU utilization: why 95% of AI infrastructure spend is wasted Governance, not gatekeeping: How SAP brings enterprise‑grade safety to AI connectivity Anthropic introduces "dreaming," a system that lets AI agents learn from their own mistakes RL orchestration: how a 7B model routes tasks across GPT-5, Claude, and Gemini Meet ZAYA1-8B, a super efficient open reasoning model trained on AMD Instinct MI300 GPUs Anthropic Skill scanners passed every check. The malicious code rode in on a test file. Why AI breaks without context — and how to fix it Market research is too slow for the AI era, so Brox built 60,000 identical 'digital twins' of real people you can survey instantly, repeatedly The app store for robots has arrived: Hugging Face launches open-source Reachy Mini App Store with 200+ apps Scaling AI into production is forcing a rethink of enterprise infrastructure Miami startup Subquadratic claims 1,000x AI efficiency gain with SubQ model; researchers demand independent proof. GPT-5.5 Instant shows you what it remembered — just not all of it One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it AI agents are missing all the discussions your team is having. SageOX has an answer: agentic context infrastructure OpenAI turns its sold-out GPT-5.5 party into a monthlong Codex giveaway for 8,000 developers Inside AMEX’s agentic commerce stack: How intent contracts and single-use tokens enforce AI transactions Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threat The RAG era is ending for agentic AI — a new compilation-stage knowledge layer is what comes next Salesforce Agentforce Operations fixes workflows breaking enterprise AI MCP command execution flaw: what security teams need to know The scaffolding era is over. LlamaIndex says context is the new moat xAI launches Grok 4.3 at an aggressively low price and a new, fast, powerful voice cloning suite Hidden IT problems are quietly creating risk, shadow IT, and lost productivity Alibaba's HDPO cuts AI agent tool overuse from 98% to 2% One tool call to rule them all? New open source Python tool Runpod Flash eliminates containers for faster AI dev Why OpenAI's 'goblin' problem matters — and how you can release the goblins on your own AI coding agents breached: attackers targeted credentials, not models | VentureBeat Writer launches AI agents that can act without prompts, taking on Amazon, Microsoft and Salesforce Netomi raises $110 million as Accenture and Adobe bet on AI for customer service Cheaper tokens, bigger bills: The new math of AI infrastructure Amazon’s OpenAI gambit signals a new phase in the cloud wars — one where exclusivity no longer applies Enterprise RAG rebuild: hybrid retrieval adoption tripled in Q1 2026 IBM launches Bob with multi-model routing and human checkpoints to turn AI coding into a secure production system AWS Quick's knowledge graph creates an orchestration blind spot Why enterprise GPU utilization is stuck at 5% — and why the fix makes it worse Definity embeds agents inside Spark pipelines to catch failures before they reach agentic AI systems How to build custom reasoning agents with a fraction of the compute American AI startup Poolside launches free, high-performing open model Laguna XS.2 for local agentic coding Mistral AI launches Workflows, a Temporal-powered orchestration engine already running millions of daily executions Microsoft and OpenAI gut their exclusive deal, freeing OpenAI to sell on AWS and Google Cloud Open source Xiaomi MiMo-V2.5 and V2.5-Pro are among the most efficient (and affordable) at agentic 'claw' tasks AI framework autonomously outperforms human-designed R&D baselines Why supply chains are the proving ground for automation‑led iPaaS RAG precision tuning can quietly cut retrieval accuracy by 40%, putting agentic pipelines at risk Enterprises are obsessing over model accuracy while ignoring the infrastructure layer where AI systems actually break. Monitoring LLM behavior: Drift, retries, and refusal patterns CVSS vulnerability triage: 5 failures, 5 fixes DeepSeek-V4 arrives with near state-of-the-art intelligence at fraction of the cost of Opus 4.7, GPT-5.5 85% of enterprises are running AI agents. Only 5% trust them enough to ship. AI synthetic audiences are already here and poised to upend the consulting industry Mystery solved: Anthropic reveals changes to Claude's harnesses and operating instructions likely caused degradation OpenAI's GPT-5.5 is here, and it's no potato: narrowly beats Anthropic's Claude Mythos Preview on Terminal-Bench 2.0 New startup BAND debuts agentic mesh with deterministic routing to govern multiple enterprise AI agents across model providers, channels OpenAI unveils Workspace Agents, a successor to custom GPTs for enterprises that can plug directly into Slack, Salesforce and more Google and AWS split the AI agent stack between control and execution Are you paying an AI ‘swarm tax’? Why single agents often beat complex systems OpenAI launches Privacy Filter, an open source, on-device data sanitization model that removes personal information from enterprise datasets Google doesn't pay the Nvidia tax. Its new TPUs explain why. Salesforce’s Agentforce Vibes 2.0 targets a hidden failure: context overload in AI agents Google’s Gemini can now run on a single air-gapped server — and vanish when you pull the plug The modern data stack was built for humans asking questions. Google just rebuilt its for agents taking action. Google’s new Deep Research and Deep Research Max agents can search the web and your private data Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain The AI governance mirage: Why 72% of enterprises don’t have the control and security they think they do OpenAI's ChatGPT Images 2.0 is here and it does multilingual text, full infographics, slides, maps, even manga — seemingly flawlessly Kimi K2.6 runs agents for days — and exposes the limits of enterprise orchestration What AI model should you use for revenue intelligence? Von says all the big ones, and it will automate mixing and matching for you Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it Train-to-Test scaling explained: How to optimize your end-to-end AI compute budget for inference AI agent security maturity audit: enterprises funded stage one, stage-three threats arrived anyway Anthropic just launched Claude Design, an AI tool that turns prompts into prototypes and challenges Figma Should my enterprise AI agent do that? NanoClaw and Vercel launch easier agentic policy setting, approval dialogs for messaging apps Salesforce launches Headless 360 to turn its entire platform into infrastructure for AI agents Are we getting what we paid for? How to turn AI momentum into measurable value OpenAI debuts GPT-Rosalind, a new limited access model for life sciences, and broader Codex plugin on Github OpenAI drastically updates Codex desktop app to use all other apps on your computer, generate images, preview webpages Anthropic releases Claude Opus 4.7, narrowly retaking lead for most powerful generally available LLM AI lowered the cost of building software. Enterprise governance hasn’t caught up Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway Frontier models are failing one in three production attempts — and getting harder to audit Meta researchers introduce 'hyperagents' to unlock self-improving AI for non-coding tasks We tested Anthropic’s redesigned Claude Code desktop app and 'Routines' -- here's what enterprises should know AI's next bottleneck isn't the models — it's whether agents can think together Adobe’s new Firefly AI Assistant wants to run Photoshop, Premiere, Illustrator and more from one prompt Traza raises $2.1 million led by Base10 to automate procurement workflows with AI Agentic coding at enterprise scale demands spec-driven development Designing the agentic AI enterprise for measurable performance Five signs data drift is already undermining your security models Your developers are already running AI locally: Why on-device inference is the CISO’s new blind spot AI agent credentials live in the same box as untrusted code. Two new architectures show where the blast radius actually stops. Intuit compressed months of tax code implementation into hours — and built a workflow any regulated-industry team can adapt OpenAI introduces ChatGPT Pro $100 tier with 5X usage limits for Codex compared to Plus Mythos autonomously exploited vulnerabilities that survived 27 years of human review. Security teams need a new detection playbook Claude, OpenClaw and the new reality: AI agents are here — and so is the chaos Goodbye, Llama? Meta launches new proprietary AI model Muse Spark — first since Superintelligence Labs' formation LLM-referred traffic converts at 30-40% — and most enterprises aren't optimizing for it
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft's Python SDK
louiswcolumb · 2026-05-21 · via VentureBeat

GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform.

The threat group TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000. GitHub’s assessment: the attacker’s claim is “directionally consistent” with the investigation so far. Trend Micro, StepSecurity, and Snyk have formally tracked TeamPCP across at least seven waves of the Mini Shai-Hulud supply chain worm since March.

The GitHub breach did not land in isolation. It arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, the same day Wiz discovered TeamPCP had compromised Microsoft’s durabletask Python SDK on PyPI, and the same morning Verizon’s 2026 DBIR revealed that 67% of employees access AI tools through non-corporate accounts. Five supply chain surfaces failed in 48 hours. Two more AI-agent attack classes were disclosed the same month that completed the grid. One group connects at least three of them.

GitHub confirms the breach, names the attack vector, and the attribution trail is long

"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," GitHub posted in a five-post thread on X on May 20. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. [Emphasis added by VentureBeat] The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far." GitHub added that critical secrets were rotated overnight with the highest-impact credentials prioritized first.

GitHub’s confirmation narrows the attack vector to a single employee device but leaves the blast radius expanding. The company has not named the specific extension. Internal repositories contain infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. Source code access at that level is not a data breach. It is an infrastructure intelligence leak.

Dark Web Informer reported that TeamPCP’s listing appeared on a hacking forum hours before GitHub’s initial disclosure, advertising around 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub’s confirmation: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”

Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked "at least seven confirmed waves" spanning Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (May 11), and Mistral AI (May 12). StepSecurity, Snyk, and Trend Micro assess high confidence on the Trivy, Bitwarden CLI, and TanStack waves based on toolchain overlap. GitHub’s May 20 confirmation that the breach came through a poisoned VS Code extension aligns with the exact attack surface TeamPCP weaponized throughout 2026.

Binance co-founder CZ posted immediately: "If you have ANY private repos with plain text secrets or sensitive documents/architectures, immediately rotate your secrets." Mike Riemer, CTO of Ivanti, told VentureBeat in an exclusive interview that Azure’s honeypot network now shows known vulnerabilities exploited in under 90 seconds. Stolen credentials shorten the recon phase that precedes exploitation. Every GitHub-side secret that reaches a buyer accelerates whichever attack path that buyer was already running.

The worm that forges its own provenance badge

Hours before GitHub's disclosure, Endor Labs detected 42 malicious npm packages published between 01:39 and 02:06 UTC on May 19. Socket's broader tracking put the full wave at 639 malicious versions across 323 packages inside Alibaba's @antv data visualization ecosystem, roughly 16 million weekly downloads.

This wave introduced provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates to. Provenance tooling shows a green badge. The build chain belongs to the attacker. "The attestation proves where the package was built. It does not prove the build was authorized," Endor Labs stated.

Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat that “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway. Each wave has picked a higher-download target and introduced a more technically interesting access vector.”

Late on May 12, vx-underground reported that TeamPCP open-sourced the fully weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy provided VentureBeat a first-pass detection check: run find . -name ‘router_init.js’ -size +1M across project directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If either returns a hit, isolate and image the machine before revoking any tokens. The worm’s destructive daemon triggers on revocation.

GitHub Actions tags redirected to imposter commits the same day

Also on May 19, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to an imposter commit that does not appear in the action’s normal commit history. “That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action,” StepSecurity researcher Varun Sharma said. GitHub has since disabled access to the repository.

The exfiltration domain (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the two clusters together. Only workflows pinned to a known-good full commit SHA were unaffected.

The worm jumped to Microsoft’s own Python SDK the same day

Hours after the @antv wave, Wiz detected that TeamPCP had compromised durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were published to PyPI within a 35-minute window on May 19. The attack chain was direct: a GitHub account compromised in a previous TeamPCP operation still had access to the microsoft/durabletask-python repository. The attacker dumped GitHub Secrets, extracted a PyPI publishing token, and pushed the infected releases directly. PyPI quarantined all three versions.

StepSecurity’s analysis found the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads.

VS Code extensions breached GitHub itself, and that is not even the first compromise this week

On May 18, attackers published a compromised version of the Nx Console VS Code extension, installed more than 2.2 million times. The malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. One day later, GitHub confirmed that a different poisoned VS Code extension was the entry point for the 3,800-repo breach of its own internal infrastructure.

As one X user framed it: “Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain stayed inside one vendor’s ecosystem. Developers have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented complaint from December 2024 asked Microsoft to fix the marketplace. Eighteen months later, the marketplace was the entry point for a breach of GitHub itself.

AI coding agents treat trust dialogs as features, not security events

Adversa AI’s TrustFall research, published May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. "A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required," researcher Rony Utevsky told Dark Reading. All four default to "Yes/Trust." The Managed scope configuration that could lock this down is "rarely used." When Claude Code runs headless through GitHub Actions, the trust dialog never renders.

PR comments became agent instructions

Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction into a PR title and watched Anthropic's Claude Code Security Review action post its own API key as a comment. The same prompt injection worked against Gemini CLI Action and GitHub's Copilot Agent. Anthropic classified it CVSS 9.4 Critical.

Prompt injection reaches eval() through legitimate API calls

Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw let a crafted prompt achieve host-level remote code execution. The .NET SDK flaw turned an accidentally exposed file-transfer helper into a tool the AI model could invoke, enabling sandbox escape from Azure Container Apps.

Social channels deliver the payload where EDR has no signal

CrowdStrike’s 2026 Financial Services Threat Landscape Report, released May 14, quantified identity theft scaling outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, a 51% year-over-year increase. PRESSURE CHOLLIMA conducted the largest single financial theft ever reported: $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities. STARDUST CHOLLIMA tripled its tempo. The primary delivery channels: WhatsApp and LinkedIn, where EDR has no signal.

“Financial services organizations face threats from every direction, and AI is making each of them harder to stop,” Adam Meyers, senior vice president, counter adversary operations at CrowdStrike, said in the report. “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.” His 2026 Global Threat Report found 82% of detections in 2025 were malware-free. The average eCrime breakout time fell to 29 minutes, with the fastest observed at 27 seconds.

Riemer told VentureBeat the same dynamic applies to developer toolchains. "Bad guys are pivoting to what's the next weakest link. Let me get somebody's house key, and I can make it through the back door." Stolen developer identities are the house key.

Shadow AI usage tripled in one year

The Verizon 2026 DBIR found that 45% of employees are regular AI users, up from 15% last year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches jumped to 48%.

The Developer Tool Stolen-Identity Audit Grid

No single surface in this grid qualifies as a zero day. Chained together, they function like one. "I can take a whole bunch of little things and chain them together and get the same level of access," Riemer told VentureBeat. "That's what AI does very, very well."

Surface

Incident / Vector

Visibility Gap

Recommended Action

GitHub internal repositories

TeamPCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. GitHub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos

Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant

Rotate GitHub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships

npm provenance verification

Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime

Provenance check passes. Signing identity is stolen. 16M weekly downloads affected

Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimumReleaseAge

VS Code extension auto-update

Nx Console v18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs

Auto-update executes credential stealer silently. No detection category exists

Pin extension versions. Audit auto-update policy. Review publisher token governance

AI coding agent CLI trust dialog

TrustFall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress

Trust dialog is a feature, not a security event. Headless CI skips dialog entirely

Disable enableAllProjectMcpServers. Require explicit per-server approval

CI/CD pipeline agent execution

Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions

Malicious .mcp.json runs with runner’s full credentials. Zero human interaction

Gate agent runs to post-merge branches. Review pull_request_target workflows

AI agent framework eval() path

Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval()

EDR sees approved call. Flat auth plane fails to respect user permissions

Upgrade to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation

Out-of-band delivery

CrowdStrike FinServ (May 14). WhatsApp and LinkedIn as primary vectors. CHOLLIMA doubled and tripled tempo

EDR has no signal on social-channel delivery. AI-generated identities at scale

Add WhatsApp and LinkedIn to insider-threat playbooks

Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest. Kayne McGladrey, IEEE Senior Member, told VentureBeat that organizations are "defaulting to cloning human user profiles for agents, and permission sprawl starts on day one." The compliance frameworks enterprises rely on were written for humans. Agent identities do not appear in any control catalog McGladrey has encountered.