Jason Damron

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

Here’s how I currently see software development. Imagine a farmer who grows cabbage. He has one large field and several smaller ones. For years, a group of farm workers harvested the cabbage by hand. It took them a full week to clear the big field. They worked carefully. Sometimes a cabbage was damaged, but overall the quality was good. Then the farmer discovers a machine. The machine harvests the entire field in one hour and delivers all the cabbage to the barn. It’s not perfect. Out of 1,000 cabbage heads, maybe 30 or 40 are damaged. The workers point this out immediately: “When we do it by hand, only 10 get damaged. Our work is higher quality.” They’re right. But the farmer replies: “You need a week for one field. The machine needs one hour.” Now the machine can harvest: the big field in the morning the next field an hour later then another and another Eight, ten, maybe twenty fields per day. The farmer doesn’t ask the workers to compete with the machine anymore. He gives them a new job: Stand in the barn. Pick up each cabbage. Check it quickly. Throw out the damaged ones. That’s the new bottleneck. And maybe, soon, the farmer buys another machine that does even that inspection automatically. The workers are still correct: hand-harvested cabbage is often better. But it no longer matters economically. The speed difference overwhelms the quality difference. This is where software development is heading. Engineers are right when they say manual coding can be higher quality in many situations. But it is orders of magnitude slower. That gap is so large that even imperfect AI-generated code wins. And the quality improves every month. If it doesn’t improve, it gets cheaper. If it doesn’t get cheaper, it gets smaller. And once it’s small enough, it runs on your own hardware. There is no visible ceiling yet. So the role changes. From writing code to reviewing code to supervising systems that write and review code. Like the farm workers in the barn. Not because their work was bad. But because the machine changed the economics.

In mid-Sep 2025, Anthropic detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign conducted by a threat actor assessed with high confidence to be a 🇨🇳 state-sponsored group. The attackers used AI’s “agentic” capabilities to an unprecedented degree — using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor manipulated Anthropic’s Claude Code tool into attempting infiltration into roughly 30 global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. This is believed to be the first documented case of a large-scale cyberattack executed without substantial human intervention. https://t.co/eFkzAfNxZs https://t.co/SJhbUP8vJj https://t.co/DwpuZm86hy

People on here act like someone decides not to patch. Like there’s a guy who knows the service is vulnerable, knows it runs in prod, and just shrugs. That’s maybe 1% of the cases. The rest is messier: - No idea the service exists (no inventory) - No idea it’s vulnerable (no vuln reporting) - Afraid to break stuff (downtime, legacy crap) - No one owns it (silos, shadow IT) - No time (small team, constant firefighting) - Bad processes (manual patching, approvals, etc) - Patching tools suck (yep, that too) It’s rarely negligence. It’s usually chaos.

‼️ It's getting to the point where we no longer care if a login used MFA (unless FIDO2 Passkeys). We care more about where, how, timing, user agent, what happened afterwards, etc. If you're "in the trenches" working suspicious logins in the Microsoft world, you'll feel this one!

- Don’t trust EDR alone to protect your organization - Enforce MFA everywhere - Audit AD regularly with PingCastle, ScriptSentry, Locksmith, and ADeleginator - Perform external & internal pentesting annually - Find an MDR vendor you trust and pay them to help you monitor your environment - Security starts and ends with people and exists to protect the business