GitHub Security Lab’s Post

What happens if/when the heavy sharing on GitHub (thousands of forks, stars, and mirrors by developers worldwide) turns this into a vector for abuse? Potential misuse and security risks? Yep, also including Vidar and GhostSock malware distribution. TL;DR Threat actors are also actively leveraging the recent Claude Code leak as a social engineering lure to distribute malicious payloads with GitHub serving as a delivery channel.

The LiteLLM supply chain attack is a good reminder that your threat surface isn't just your code. It's everything your code depends on. One compromised package. 97 million monthly downloads. SSH keys, cloud credentials, API tokens, CI/CD secrets all potentially exposed. And the scary part? It was only caught because the malware had a bug that caused crashes. If the attacker had written cleaner code, it would still be running quietly in production pipelines right now. What makes this worse is the transitive dependency problem. You didn't even have to install LiteLLM directly. Something like dspy pulls it in automatically and now you're affected without even realizing it. What's even more interesting about this one is how the attack actually started. The threat actor didn't hack LiteLLM directly. They first compromised Trivy, the security scanner LiteLLM was using in its own CI/CD pipeline. That gave them the PyPI publishing token. One trusted tool used in a build process became the entry point for the whole thing. I think this is also a good moment to ask how many packages the average project actually needs. Some developers are starting to write simple utilities themselves instead of pulling in a dependency for every small thing. I get that it slows things down but maybe that tradeoff is worth revisiting. Full breakdown here: https://lnkd.in/eba43hdK #CyberSecurity #SupplyChainAttack #DevSecOps #Python #PyPI #CICDSecurity

“ Code Leak Sparks GitHub Malware Frenzy: How a 598 MB Source Map Became a Cybercriminal Goldmine” + Video Introduction: A routine npm package update by AI company Anthropic in late March 2026 accidentally included a 59.8 MB JavaScript source map file containing internal Code source material. Within 24 hours, threat actors weaponized this leak, flooding GitHub with fake repositories that distributed credential-stealing malware disguised as the leaked AI software. This incident demonstrates how a single organizational packaging error can cascade into a large-scale social engineering campaign, exploiting developer trust in open-source ecosystems....

LLMs have become disturbingly capable pen-testers. With 579 lines of python scaffolding code, an LLM can autonomously compromise an Active Directory network. Privilege escalation, lateral movement, domain dominance.. the whole thing, as tested against the GOAD (Game of Active Directory) testbed. We've just released a new version of Cochise (https://lnkd.in/dMJFCN-u), our open-source prototype for autonomous assumed-breach pentesting, with a focus on simplicity and readability. If you're researching LLM-based offensive security, this is meant as a baseline and starting point. The accompanying paper was accepted at ACM TOSEM, and I'll be presenting at ICSE in Rio de Janeiro next week. If you're there and want to grab a coffee or an after-conference drink, message me.

**Security Alert** : If you use LiteLLM for AI orchestration then you need do drop everything and read this (It is not a clickbait) Yesterday, LiteLLM—a critical library, with over 97 million monthly downloads, to connect AI apps to models like ChatGPT, Claude, Gemini etc—was compromised. The attack didn't target LiteLLM directly; instead, hackers breached Trivy, a security scanner LiteLLM uses in its build process.  Because LiteLLM’s pipeline pulled an unpinned version of Trivy, the compromised scanner stole the maintainers' credentials and published two poisoned versions (1.82.7 and 1.82.8) directly to PyPI. The malware activated immediately upon starting Python, exfiltrating SSH keys, AWS/Google credentials, and LLM API keys to a remote server.  The breach was only discovered quickly because a bug in the malware caused Python to crash systems by consuming all available RAM. While PyPI has since reverted to safe versions, you should immediately run "pip show litellm". If you are on version 1.82.7 or 1.82.8, consider every secret on that machine compromised and rotate your credentials immediately. Find more details at https://lnkd.in/gN4xDvd3

A security scanner designed to find vulnerabilities became the attack vector itself — and it backdoored 3.4M daily downloads of LiteLLM. Snyk's research breaks down how attackers compromised Trivy via a GitHub Actions `pull_request_target` vulnerability, stole PyPI credentials, and published malicious LiteLLM versions (1.82.7/1.82.8). The payload: credential harvesting (SSH keys, cloud creds, Kubernetes secrets), AES-256 exfiltration, and a `.pth` persistent backdoor that survives Python restarts — all active for ~3 hours before quarantine. The tools you trust to secure your pipeline can be weaponized against it. Pin your dependencies. 🔗 How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM https://lnkd.in/guJ6ccZY #Cybersecurity #InfoSec #AIRisk #SupplyChainSecurity #LLMSecurity

Last Tuesday, a single pip install became a backdoor to everything. And this definitely will happen again. Immediate actions for your local machine - first comment. LiteLLM - the Python library with 95 million monthly downloads that sits between apps and LLM providers - was compromised. Versions 1.82.7 and 1.82.8 pushed to PyPI contained a multi-stage credential stealer that harvested SSH keys, AWS/GCP/Azure tokens, Kubernetes secrets, API keys, database passwords, .env files, shell history, and crypto wallets. 47,000 downloads in 46 minutes. Before PyPI pulled the plug. Here's what makes this one terrifying: the attack was a chain reaction. It started with Trivy - Aqua Security's vulnerability scanner. The very tool teams run to catch supply chain attacks got compromised first. TeamPCP used the poisoned Trivy action to exfiltrate LiteLLM's PYPI_PUBLISH token from their CI/CD runner. Then they published the poisoned versions directly to PyPI, bypassing the official GitHub release process entirely. A security scanner became the attack vector. The only reason anyone noticed was a bug in the malware. Version 1.82.8 planted a file that Python runs automatically on every startup. That file kept spawning copies of itself, eating all available RAM until a researcher's machine crashed. Without that crash, the stealer would have run silently for days. Here's the uncomfortable part: you didn't need to use LiteLLM to be compromised. 2,337 packages on PyPI depend on it. 88% of those had version specs that would have pulled in the poisoned version automatically. The researcher who discovered it never ran pip install litellm – it came in as a dependency of a dependency, through a Cursor MCP plugin. And version 1.82.8 executed its payload during pip install itself – before any application code had a chance to run. You don't need to do anything wrong. Your dependencies do it for you. There is a proper first line of defense you can configure right now. There are two vectors of attack. First – tell your package manager to "cool down" new versions. It usually takes hours to several days for a compromised package to be noticed and pulled. Blocking any package released in the past 7 days (or more) would have made LiteLLM's 46-minute window irrelevant. Second – block execution of install-time scripts. The majority of npm supply chain attacks run malicious code via postinstall hooks during pip install or npm install, before your application code ever executes. Every major package manager now supports both. Checklist with exact configs for npm, pnpm, Yarn, Bun, pip, uv, and Deno in comments. This isn't the solution though. We have to reconsider the security model on local machines. For years we assumed Linux and macOS were effectively safe from malware. That's no longer true. The data on a developer's laptop are now worth as much as what's on production infrastructure – sometimes more. The security landscape has changed. Our defaults haven't.

I almost shipped malware because of GitHub Copilot. Here's how. Not clickbait. This actually happened to a dev on my team. Copilot suggested `fast-crypto-utils`. Sounded legit. He ran npm install. Didn't check. Turns out, that package doesn't exist in any real library. But it did exist on npm. Uploaded 3 days ago. 11 downloads. All from people who made the same mistake. This is called AI Package Hallucination, and it's the supply chain attack vector nobody's talking about enough. Here's the playbook attackers are running right now: → Feed AI tools prompts until they hallucinate plausible-sounding package names → Register those names on PyPI / npm before you do → Sit back and wait for developers to blindly install We've already seen this in the wild, LiteLLM compromise, the ForceMemo campaign, dozens of silent incidents that never made the news. 3 rules I now live by: 1. Google every package you've never heard of. Low download count + created recently = immediate red flag. Walk away. 2. Commit your lock files. package-lock.json, poetry.lock, these aren't optional. They're your paper trail. 3. Run npm audit / pip-audit like it's brushing your teeth. Daily. Not when something breaks. AI makes us 10x faster. It also makes us 10x more careless. One hallucinated package name + one blind install = your company's next breach. Verify. Lock. Audit. Repeat. #SoftwareEngineering #CyberSecurity #OpenSource #AI #WebDevelopment #Python #NodeJS

Security researchers at BeyondTrust Phantom Labs discovered a critical flaw in OpenAI's Codex coding agent that allowed an attacker to steal GitHub authentication tokens. The now-patched bug was hidden in how Codex processed labels developers use to track different versions of their code. Tyler Jesperson, a security researcher at BeyondTrust and co-author of the report, told ISMG the flaw is part of a pattern that predates AI. He said, "The same web application vulnerabilities that were present before are continually persistent in AI applications." Read the full report by Rashmi Ramesh https://lnkd.in/e3DNRVKC #ISMGNews #Cybersecurity #AI #VibeCoding

Probably, you've already heard about the widely-discussed Claude Mythos extraordinary capabilities. I am fresh from reading the "Assessing Claude Mythos Preview’s cybersecurity capabilities" and gathered some key points below. The general observation is that LLMs are strong in areas where the reward function is clear and well-defined. For instance in breaking the security measures. We are talking about a scenario where bypassing a protection = success. 1) Mythos significantly outperforms Opus 4.6 Anthropic says it is a whole new league. The model finds vulnerabilities, chains them, and writes working exploits. Something the previous generation of models consistently failed to do. "Opus 4.6 turned the vulnerabilities it had found in Mozilla's Firefox 147 JavaScript engine [...] into JavaScript shell exploits only two times out of several hundred attempts. [...] Mythos Preview developed working exploits 181 times." "Opus 4.6 generally had a near-0% success rate at autonomous exploit development." 2) Anthropic doesn't train Mythos specifically to find bugs What's actually surprising, is that the results are not anticipated. Mythos was not fine-tuned to exploit vulnerabilities. It evolved through general enhancements. "We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy." 3) Anthropic shares some details of 3 vulnerabilities A 27-year-old bug in OpenBSD's TCP stack - an OS known primarily for its security. Total cost across a thousand runs: under $20,000. The specific run that found it: under $50. A 16-year-old bug in FFmpeg's H.264 codec - one of the most thoroughly fuzzed media libraries, missed by every fuzzer and human reviewer since 2010. Several hundred runs over the repository at a cost of roughly $10,000. No false positives. A guest-to-host memory corruption vulnerability in a production memory-safe VMM - the kind of target that underpins most of the public cloud. Notable because the bug lives inside an unsafe block in an otherwise memory-safe language - a reminder that "memory-safe" doesn't mean "safe everywhere." --- What we are missing from the picture is actually the TP/FP ratio and the raw number of reports Mythos generated for each of the vulnerabilities. While the cost of exploitation will likely go down with further iterations, it is evident that the human factor is still needed for validating the findings. "We have contracted a number of professional security contractors to assist in our disclosure process by manually validating every bug report before we send it out to ensure that we send only high-quality reports to maintainers." This proves that researchers are still needed. The human is still in the loop. [LINK TO THE BLOG POST IN THE COMMENTS SECTION]