info on the github breach appears to only be available on xitter 🙄 , I fished it out for you.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:41:03 GMT

0xabad1dea@infosec.exchange — Wed, 20 May 2026 08:41:03 GMT

@endrift 3800 properly distinct repos doesn’t strike me as an unlikely number if it includes every employee’s minor side project over the last 18 years

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:31:02 GMT

nephrite@gamedev.lgbt — Wed, 20 May 2026 08:31:02 GMT

@ratsnakegames @0xabad1dea Maybe I shouldn't learn coding. Sounds more and more like a well of cursed knowledge these days.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:29:42 GMT

ratsnakegames@mastodon.social — Wed, 20 May 2026 08:29:42 GMT

@Nephrite @0xabad1dea which package registry does these days?

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:27:56 GMT

nephrite@gamedev.lgbt — Wed, 20 May 2026 08:27:56 GMT

@ratsnakegames @0xabad1dea That sounds pretty bad. Don't they do reviews or anything?

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:26:33 GMT

ratsnakegames@mastodon.social — Wed, 20 May 2026 08:26:33 GMT

@Nephrite @0xabad1dea 1% is maybe a bit exaggerated but VS Code marketplace is kinda notorious for malware

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:24:57 GMT

nephrite@gamedev.lgbt — Wed, 20 May 2026 08:24:57 GMT

@0xabad1dea I'm honestly not sure if you're joking or if this is literally true.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:21:35 GMT

liw@toot.liw.fi — Wed, 20 May 2026 08:21:35 GMT

@david_chisnall @0xabad1dea I could not ever have thought that to be a problem! Who has ever heard of it being problematic to download random code from the Internet and run it with full privileges on your computer? This realization is a breakthrough in infosec. Someone deserves a Nobel price for this. And a Turing award.

(#sarcasm just in case)

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:15:17 GMT

caspicat@infosec.exchange — Wed, 20 May 2026 08:15:17 GMT

@soviut @0xabad1dea Checkmarkx (appsec company!) recently couldn't kick out the attackers for a month, so one of their recommended action to clients was to disable auto update of the Checkmarkx extension in VSCode (which was poisoned)

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:07:33 GMT

david_chisnall@infosec.exchange — Wed, 20 May 2026 08:07:33 GMT

@phil @0xabad1dea

I’ve thought about this for a while and I think the difference is the marketplace. I use a bunch of vim extensions but vim and emacs don’t have a built-in thing that advertises extensions to me. There’s no ‘click here to install…’ button with flashy marketing. There’s no built-in concept of ‘recommended extensions’.

When I install an extension in vim, it’s almost always because someone looks over my shoulder and says ‘wow, I forgot how bad vim was without [my favourite extension]’ and I try it and decide it actually does make life nicer. When people install extensions in VS Code it’s because they’ve been trained that there’s always an extension in the store and it’s the top result for their search. And that gives people a big incentive to put malicious extensions in the store.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 08:00:23 GMT

soviut@hachyderm.io — Wed, 20 May 2026 08:00:23 GMT

@0xabad1dea Or the extension was legitimate and got compromised (their use of the term "poisoned" makes me think that).

Supply chain attacks are on the rise; the best course of action is to admit when they happen, learn from them, and use those learnings to prevent it in the future.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:53:01 GMT

0xabad1dea@infosec.exchange — Wed, 20 May 2026 07:53:01 GMT

@benoitb every large organization, knowingly or unintentionally (usually both), has internal secrets embedded in their internal codebase. so yeah

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:51:35 GMT

benoitb@framapiaf.org — Wed, 20 May 2026 07:51:35 GMT

@0xabad1dea

They wrote:

> "2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. […]
3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first."

Do they really put "Critical secrets" in their "GitHub-internal repositories" !?

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:46:06 GMT

0xabad1dea@infosec.exchange — Wed, 20 May 2026 07:46:06 GMT

gonna gently push back that there's no reason (according to github's version of the story) to associate this with AI or with spectacular incompetence on the part of the employee; the issue is that industry standard, extremely widely used text editor Visual Studio Code has a big button that says "click here to add useful functionality to do your job" that has a 1% chance of installing ransomware

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:44:30 GMT

phil@fed.bajsicki.com — Wed, 20 May 2026 07:44:30 GMT

@david_chisnall@infosec.exchange @0xabad1dea@infosec.exchange
While yes, I think it's more about the perception of extensions being secure. Emacs has the same security model, but you don't see Big News about it.

Granted part of this is that Emacs itself requires a certain level of understanding to use so it filters out users who Just Install Things but still.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:34:51 GMT

muddle@infosec.exchange — Wed, 20 May 2026 07:34:51 GMT

@0xabad1dea (horselegged/sanserif Swastikas...)

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:33:36 GMT

david_chisnall@infosec.exchange — Wed, 20 May 2026 07:33:36 GMT

@0xabad1dea Huh. It’s almost as if an editor with a marketplace for extensions and zero thought to the security model (beyond ‘extensions have complete access to your computer’) might not have been the best idea after all.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:24:05 GMT

elrohir@mastodon.gal — Wed, 20 May 2026 07:24:05 GMT

@0xabad1dea while this is not directly related to AI as far as reported, I can't help but imagine that hiring people who buy into the AI idiocy is a surefire way to get your entire organization packed full of imbeciles likely to make this fuck up one day or another

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 07:22:23 GMT

crowbriarhexe@tech.lgbt — Wed, 20 May 2026 07:22:23 GMT

@tati @0xabad1dea “we don’t think we can get away with denying it”

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:52:38 GMT

ryan@m29.us — Wed, 20 May 2026 06:52:38 GMT

@0xabad1dea My favorite take so far: "holy shit, how did the attackers find a large enough uptime window to get in?"

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:38:41 GMT

tomhead@mastodon.social — Wed, 20 May 2026 06:38:41 GMT

@tati @0xabad1dea I don't know how someone decides to use the phrase "directionally consistent". Maybe they took too many drugs, or not enough. Anyway, something went wrong, for sure.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:36:18 GMT

groxx@hachyderm.io — Wed, 20 May 2026 06:36:18 GMT

@0xabad1dea maybe they'll build a status page some day. they're still a scrappy startup though, they probably have higher priorities like making investor pitch decks.

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:26:41 GMT

js@mastodon.nl — Wed, 20 May 2026 06:26:41 GMT

@GerhardD @0xabad1dea Glad to have left Github behind when it was about to be consumed by Viboslop.

(Yeah, I know, it’s still a supply chain attack free for all fest causing much hurt.)

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:25:16 GMT

gerhardd@olching.social — Wed, 20 May 2026 06:25:16 GMT

@0xabad1dea Glad to have deleted my GitHub Account when they introduced "AI". #github

Reply to info on the github breach appears to only be available on xitter 🙄 , I fished it out for you. on Wed, 20 May 2026 06:22:27 GMT

tkissing@mastodon.social — Wed, 20 May 2026 06:22:27 GMT

@0xabad1dea Happy GitHub Breach Day! Enjoy this one. Starting next week we will go back to just calling it Wednesday again.