GitHub
-
ForceMemo offshoot of GlassWorm force pushes malware into hundreds of Python repositories
A supply chain campaign called ForceMemo stole GitHub tokens and force-pushed obfuscated code into hundreds of Python repositories starting March 8, 2026. Compromised packages and pip installs may deliver remote payloads.
-
Multi-stage phishing campaign in Russia delivers Amnesia RAT and ransomware via GitHub and Dropbox
A multi-stage phishing campaign observed in Russia delivers Amnesia RAT and Hakuna Matata ransomware. The chain uses GitHub and Dropbox for payload staging and disables Defender before stealing data and encrypting files.
-
GitHub repositories used to deliver new PyStoreRAT JavaScript RAT
Researchers say GitHub-hosted Python repositories have been used to deliver a JavaScript-based RAT called PyStoreRAT that executes remote HTA payloads, deploys a Rhadamanthys stealer and includes persistence and evasion measures; Chinese vendor QiAnXin also reported a separate SetcodeRat campaign.
-
Unpatched Gogs vulnerability being actively exploited; hundreds of instances compromised
Wiz researchers say a high-severity unpatched flaw in Gogs (CVE-2025-8110) is being actively exploited, with more than 700 compromised instances; the issue allows file overwrites via symbolic links and can lead to remote code execution. Researchers recommend disabling open registration, limiting internet exposure and scanning for random repositories while a fix is developed.
-
Researchers expose North Korean scheme to rent engineer identities for remote jobs
Security researchers say North Korean recruiters tied to Famous Chollima have been soliciting software engineers to rent their identities, using stolen identities, deepfakes and remote access to secure jobs at Western firms and route activity through compromised machines.
-
North Korean actors push 197 malicious packages to npm to deploy OtterCookie variant
Researchers say North Korean actors uploaded 197 malicious npm packages, downloaded over 31,000 times, to deploy an OtterCookie variant that evades sandboxes, establishes C2 access and steals credentials and crypto data; delivery used a Vercel URL and a now-unavailable GitHub account, and the campaign has also employed fake job-assessment lures to distribute Go-based backdoors.
-
Shai‑Hulud campaign trojanises hundreds of npm packages and leaks CI/CD secrets to GitHub
A renewed Shai‑Hulud campaign has published thousands of trojanised npm packages that steal developer and CI/CD secrets and post them to GitHub; researchers at Aikido and Wiz say the operation modified legitimate packages, used compromised maintainer accounts and is leaking secrets in automatically created GitHub repositories.
-
Astaroth banking trojan leverages GitHub to restore command-and-control, McAfee says
McAfee Labs reported that the Astaroth banking trojan campaign uses GitHub-hosted images with steganography to update configurations and maintain access after C2 takedowns; the campaign targets Brazil and other Latin American countries and is delivered via DocuSign-themed phishing emails.
-
Patched command injection in Figma MCP server could allow remote code execution, researchers say
A command injection bug in the figma-developer-mcp Model Context Protocol server, tracked as CVE-2025-53967 and scored 7.5, could allow remote code execution by interpolating unvalidated input into shell commands; the issue was fixed in version 0.6.3 and researchers recommend avoiding child_process.exec with untrusted data.
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
