automated campaign pushes over 5,700 malicious commits to 5,561 GitHub repositories in just six hours and the attacker using throwaway accounts with random names and forged commit authors like build-bot, auto-ci, ci-bot, and pipeline-bot all with messages like "ci: add build optimization step" or "chore: optimize pipeline runtime." Basically indistinguishable from routine CI noise.
atool maintainer account got hacked, and attacker pushed 631 malicious versions across 314 packages in 22 minutes. another day and another attack. it steals everything like AWS keys, GitHub tokens, npm creds, SSH keys, database strings, docker configs, kubernetes tokens. If you have docker socket exposed, it escapes the container with privileged access.
How to check is look for versions published on 2026-05-19 between 01:44-02:06 UTC. Payload SHA256: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c
If you got hit then rotate everything. All of it.
Same payload as the SAP compromise 3 weeks ago (Mini Shai-Hulud). 498KB obfuscated Bun script with identical credential harvesting patterns.
atool maintainer account got hacked, and attacker pushed 631 malicious versions across 314 packages in 22 minutes. another day and another attack. it steals everything like AWS keys, GitHub tokens, npm creds, SSH keys, database strings, docker configs, kubernetes tokens. If you have docker socket exposed, it escapes the container with privileged access.
massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.
We founded 4 SAP packages which were actually published today with a malicious preinstall hook. packages are cap-js/sqlite, cap-js/postgres, cap-js/db-service, and mbt The payload is stealing GitHub tokens, npm tokens or AWS/Azure/GCP credentials, and then uses the stolen GitHub token to commit back into the victim's own repos which in return dropping a vs code tasks.json that re runs the attack every time someone opens the project.
the interesting thing we found that the attacker modified CI workflow to extract an OIDC token and publish to npm directly which bypass the normal release pipeline entirely. The malicious versions have zero SLSA attestations otherwise the legit ones have two. If you run any of these packages, rotate everything now please