GitHub Breach Via Poisoned VS Code Task Unveiled-Internal Repos Looted, Crypto Secrets Stolen!

GitHub is looking into a security incident where attackers gained access to some of its internal code. This happened because an employee’s computer was compromised through a malicious file hidden within a VS Code project. This file automatically ran when the project folder was opened – a technique recently described in a security report called ‘Mini Shai-Hulud’. GitHub says they discovered the problem quickly and took steps to stop it, including removing the harmful file, isolating the affected computer, and changing sensitive passwords.

GitHub has stated that the security incident seems to be contained within its own internal systems and hasn’t impacted customer data, business accounts, or external users. While still investigating, GitHub confirms the attacker’s claims about approximately 3,800 affected repositories align with their findings, and security teams are actively checking logs and watching for any further unusual behavior.

Why this matters for crypto users 

The Mini Shai-Hulud malware steals various credentials – like passwords, GitHub tokens, and cloud access keys – and can also grab local files. It spreads by infiltrating the software supply chain, which is particularly risky for cryptocurrency developers, as they often keep sensitive wallet information on the same computers.

Security researchers at Wiz, JFrog, SafeDep, Aikido Security, and SlowMist have consistently found that recent versions of this software contain a feature designed to steal login information, specifically targeting:

• Developer credentials and local files that frequently include crypto wallet files and seed phrases on developer machines (e.g., MetaMask vaults, hardware wallet configs, hot wallet keystores — as seen in prior Shai-Hulud waves and consistent with the malware’s >90-file scanner)  
• Password-manager databases, including Bitwarden, 1Password, pass, and gopass, with the May 19 durabletask variant adding active unlock attempts using scraped environment variables and shell history
• GitHub Personal Access Tokens and OIDC tokens, which can be used to push malicious code into a project that thousands of downstream users (including crypto firms) install 
• AWS IAM keys, Kubernetes service-account tokens, and HashiCorp Vault tokens; the building blocks of any crypto firm’s production infrastructure

The cryptocurrency world relies heavily on tools developers use every day. Important services like decentralized finance platforms, exchanges, and wallet providers depend on software packages, libraries, automated workflows, and coding extensions. This means that if one of these fundamental tools is hacked, it can directly put users’ funds at risk. The recent Bitwarden hack, carried out by the same group, TeamPCP, showed exactly how dangerous this can be: a compromised developer tool immediately threatened anyone who stored sensitive information like seed phrases or exchange keys in their password manager.

This explains the rise in cryptocurrency-focused phishing attacks originating on GitHub. For example, the March 2026 OpenClaw $CLAW scam cleverly disguised itself as a free crypto giveaway. This tactic works because developers are both attractive targets – they often control valuable digital assets – and, statistically, are more likely to already own cryptocurrency, making the offer more believable.

Supply chain attacks expand beyond GitHub

As a crypto investor, I’ve been keeping a close eye on recent security threats, and it’s pretty concerning to see how quickly supply chain attacks are spreading. This one, dubbed “Mini Shai-Hulud,” first popped up in late April 2026, targeting developers who use SAP. Now, several security firms – Wiz, JFrog, SafeDep, Snyk, StepSecurity, Endor Labs, Aikido Security, and SlowMist – have all confirmed it. Basically, it’s messing with packages on npm and PyPI, which are used by developers and companies all over the world. It’s a reminder of how vulnerable the entire software supply chain is, and that impacts everything, including crypto.

As a crypto investor, I’ve been following a concerning trend of security breaches. It seems a group called TeamPCP – they’re motivated by money and really good at hacking cloud systems – is behind a lot of recent attacks. They’ve been linked to compromises affecting several projects throughout 2026, including SAP, Checkmarx, Bitwarden, PyTorch, and others like Telnyx and Intercom. There were also two big waves of attacks in May, one on May 11th targeting TanStack and Mistral, and another on May 19th hitting npm and PyPI. It’s definitely making me more cautious about where I’m putting my funds.

Security firm SlowMist discovered that hackers gained access to an npm account called “atool” and quickly released 637 harmful versions of software packages across 317 different projects. They also found that attackers disguised infected releases of the durabletask Python SDK as legitimate updates from Microsoft.

Security researchers discovered that the malware quickly scans compromised computers for valuable data. This data includes sensitive items like GitHub tokens, Amazon Web Services keys, Kubernetes secrets, SSH login details, and files saved on developers’ computers.

Security firm SlowMist believes the recently stolen GitHub login details might be linked to attacks on Grafana Labs’ online code repositories. They also cautioned that hackers could potentially access more sensitive company systems now that they have control of developer accounts and tools used for software development.

Now, security teams have to deal with risks that go beyond just hacked devices. SlowMist recommends that organizations immediately change their passwords and prevent vulnerable software packages from being used in their live systems while they investigate the issue.

GitHub attacks reflect growing AI-crypto threats

The recent GitHub security issue appears to be part of a larger trend of attacks aimed at software developers. Earlier in March, attackers tried to trick people working on the OpenClaw AI project by posting fake messages in GitHub issues that looked real, hoping to steal information or install malicious software.

The attackers used fake GitHub accounts to send messages to OpenClaw users, falsely claiming they were eligible for $5,000 in $CLAW tokens. These messages directed victims to a fraudulent website – token-claw[.]xyz – which closely resembled the real OpenClaw site but included a request to connect their cryptocurrency wallet. This was a trap to steal funds from wallets like MetaMask, WalletConnect, and Trust Wallet. The attack used complicated, hidden JavaScript code (in a file called eleven.js) and a command server. It also included a function to delete browsing data, making it harder to detect the scam.

Back in January 2026, several months before a phishing scam appeared, Peter Steinberger, the founder of OpenClaw, clearly stated that the project would never create a cryptocurrency. He posted on X (formerly Twitter), saying, “I will never launch a coin. Any project claiming I own one is a scam.” This statement immediately proved that the $CLAW offering was a fraud.

Security experts are noticing a worrying trend: attackers are now combining phishing emails, harmful software, and fake updates into one complex attack. These attacks often spread through legitimate software development tools and open-source platforms, which makes them harder for both companies and individual users to spot.

In late April 2026, Wiz revealed a serious security flaw (CVE-2026-3854) in GitHub’s systems that could have allowed attackers to execute code remotely on millions of public and private repositories. GitHub quickly fixed the issue, patching it within two hours of discovering it internally. Although there’s no sign the vulnerability was actually exploited, it’s part of a growing trend of security challenges for the platform in 2026.

Recently, a fraudulent GitHub repository tricked users into downloading what appeared to be a Solana trading bot, but it actually contained malicious software. Security firm SlowMist discovered that this software secretly scanned users’ computers for sensitive information like wallet logins and private keys, then sent that data to servers controlled by hackers.

A recent security breach at GitHub has highlighted the increasing dangers facing developers and the open-source tools they rely on. Security experts are paying close attention to GitHub’s updates as they work to understand exactly how widespread the problem is.

Read More

• Pi Hotel Vietnam: First to Accept Pi Coin Payments in Real-World Transactions
• Silver Rate Forecast
• USD TRY PREDICTION
• Gold Rate Forecast
• USD IDR PREDICTION
• The Quiet Rise of Ethereum: Is it Really Gone or Just Getting Started?
• Warsh’s Fed Debut: A June Rate Cut? Don’t Hold Your Breath, Darling
• 3 MASSIVE Token Unlocks That Could Blow Up the Market: HYPE, ENA, RED!
• RENDER PREDICTION. RENDER cryptocurrency
• AAVE’s New Yield Revolution: Can It Keep The Fresh Buyers Coming?

2026-05-20 09:42