u/Dramatic-Bug6898

I discovered an ongoing security issue, how do i best inform people?

I found over 100 infected public GitHub repositories, including several with 100+ forks. I'm manually tracking down maintainers and emailing them. Is there a better or more scalable way to notify them?

reddit.com
u/Dramatic-Bug6898 — 6 days ago

Confirmed Void Dokkaebi infection on macOS — how do I figure out if VS Code Copilot agent was involved in the delivery?

Found TronGrid C2 code in three of my repos recently. Matches Void Dokkaebi style pretty cleanly. Running on macOS, not Windows, which is where my questions start.

The Trend Micro report describes temp_auto_push.bat for commit tampering — Windows only. I haven't found it on my machine. Is there a known macOS equivalent for this campaign? Or does the commit spoofing work differently on Mac?

Second question and the one I'm more stuck on: every single infected commit happened during a VS Code Copilot agent session. The agent was doing legitimate multi-file edits across my workspace each time. So I'm wondering if:

a) the agent got prompt-injected via something in the workspace and wrote the malicious code itself, or b) the commit tampering happened at the OS level independently and the agent sessions are just coincidence

If it's (a), I'd expect to find traces somewhere in VS Code's logs or Copilot telemetry. Does VS Code log what the agent actually wrote during a session anywhere? On macOS I've been looking in ~/Library/Application Support/Code/logs/ but not finding anything obviously useful.

If it's (b), what forensic artifacts would tell me a git amend + force push happened without me doing it?

Any pointers appreciated — still piecing this together before I write it up.

u/Dramatic-Bug6898 — 29 days ago