🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART..
They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials..
The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history..
Here's how the whole thing unfolded..
In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally..
They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background..
It took Aqua Security 5 days to fully remove them..
Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms..
In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers..
That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm..
One compromised security scanner poisoned a password manager.. Automatically.. No human involved..
In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages..
And here's the terrifying part..
The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures..
Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed..
They defeated the entire trust model of modern software supply chains..
The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials..
That's a first.. Supply chain malware designed to steal your AI's access keys..
Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free"..
Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next..
It jumps between npm and PyPI automatically..
The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records..
And the scariest part of all..
They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools..
Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream..
And right now.. Nobody can tell the difference between a legitimate build and a compromised one..
Because the compromised ones have valid signatures too.
My wife calls me, panicked.
The call is from her number, and her voice is unmistakable- that’s my wife.
‘Babe, our son is hurt. He got in a bike wreck. I’m at the emergency room but they won’t take our insurance and I need cash to get him help. Please send me 3000 dollars as soon as you can, he’s really not doing well.’
Me- ‘Wow, that’s scary. Tell me our passphrase and then I’ll send the money.’
Her (it) - ‘What? What passphrase? This is your wife, our son is hurt. Send the money now!!’
Me- ‘I’ll call you back. I don’t believe that this is my wife. If it is, I’m sorry, but we discussed this.’
The number? Spoofed. Easy to do and there’s no way to tell if a phone number is being spoofed aside from hanging up and calling back to confirm.
The voice? AI generated. Easily done. A few seconds of audio is all it takes to create a realistic audio deepfake.
What can you do?
1) Create a family safe word or passphrase. Ours is definitely not ‘Keep Going’ although we considered it. Discuss the passphrase far away from phones or any recording device. This is as analog as possible. Don’t forget that the trigger for the passphrase is just as important as the phrase itself. So instead of asking ‘what’s the safe word?’ have a separate triggering question. For example, you could say ‘I’m eating banana cream pie’ and this would trigger your spouse to respond ‘purple velvet pillows’ if that’s the safe word.
Make it fun, silly, and easy to remember. And DON’T WRITE IT DOWN.
2) Cognitive security is an essential skill in 2026. Assume every image and video you see online is fake until proven otherwise. Expect scams and spammers, and be pleasantly surprised when it’s not.
3) Figure out a backup communication option with people who you absolutely need to be able to reach. Don’t just rely on a phone number for communication. Have redundant, ideally encrypted methods of communication with family.
What did I miss? I think (hope) Nikita is wrong on the timeframe- agentic bots like Claude bot are impressive but not quite ready to flood the phone lines in just 90 days. But I think it’s going to be a huge problem by the end of the year. I already get dozens of increasingly realistic spam calls and texts daily- it’s only going to get more annoying. Have a plan to keep your family and your finances safe!
My team built a VPN at Google. Summary of my advice on VPNs:
1) Never ever use a free VPN.
2) Be wary of any influencer-marketed VPNs with big discounts. Up to you but I wouldn’t use Nord/Express/etc based in Lithuania/Cyprus/Panama.
3) Mullvad is the best consumer VPN and it’s not even close. (more below)
@Lumacas Balance the budget? No more forever wars? No national debt? Make abortion illegal? Abolish the CIA, NSA, FBI? Abolish congressional stock trading? Abolish lobbying (especially AIPAC)? Those would all be higher on my list tbh.
BREAKING:
Update from Belleville, NJ mayor Melham after unprecedented briefing for *500* mayors:
-Objects "not being detected" despite "best detection equipment in nation"
-Origin unknown
-Lights go dark when approached
-Flying over critical infrastructure
-6-7 hour loiter
Paying taxes is like giving $20 to a homeless man hoping he’ll use it for food but knowing he’s using it for drugs then you come back later and he’s started a war with Iraq for no reason.
@chrisdmowrey@MKBHD This is something I do not understand either. I'm not considering this generation because I won't give up my 14 Pros 120hz to get plan 16, and upgrade to 16 Pro isn't enough to justify cost for me given that I don't do professional video or podcast work.
Hmmmm weird. I was told repeatedly that Russia had blown up their own pipeline. Why would Ukraine blow up the primary export vehicle for Russia which in turn severed all relations between Germany & Russia, which unified NATO in opposition to Russia? Wait, that makes total sense.
It seems unintuitive that a small 25 basis point interest rate hike in Japan would spike all risk assets, including tonight's -20% $ETH candle.
But you need to understand the way the carry trade works:
It's a leveraged unwinding.
My thoughts: If you are not taking measures to ensure hardened communications, against ANY malign actor, you are drastically behind the curve. Take this information as you will, but it is always recommended to take measures to increase the resiliency of radio networks. If an entity can silence speech with an email, you do not have freedom of speech. And always remember, in the ham radio world, there will ALWAYS be an overwhelmingly significant number of people who seek to cause harm to you and your family, because you didn't follow the regulations set forth by an un-elected federal agency who has decided to make law on their own. Plan accordingly.
Morning after follow-up on Iran v. Israel.
Short version: Scenario 1 playing out.
Iranians whacked Israelis hard enough to reestablish deterrence, while the White House is telling the Israelis that "if you want a war, get out of my house".
Longer explanation below.
1/x
"WW III is starting" discourse is going to ramp up in the next few hours, so here's how things will REALLY work.
Iranian policy since 2020, after the Trump admin whacked Soleimani, has been strategic patience — ie, Iran's unique set of challenges can't be immediately won...
1/x