Anthropic patches Claude Code GitHub Action repo-takeover chain
GMO Flatt Security's RyotaK chained a checkWritePermissions bot bypass with prompt injection to hijack any public repo running claude-code-action. Fix shipped in v1.0.94.
Stories tagged: #supply-chain
VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click
Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.
Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services
Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.
npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens
Microsoft says a single maintainer 'vpmdhaj' pushed 14 typosquatted npm packages on May 28 that exfiltrate AWS, ECS, HashiCorp Vault and npm tokens via a Bun-runtime payload.
CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0
CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.
Laravel-Lang Composer packages hijacked — 700+ versions ship a credential stealer
Attackers rewrote Git tags across four Laravel-Lang repos to point at a malicious fork, planting a Composer-autoloaded stealer that runs on every request. Packagist has unlisted the packages.