The Microsoft-owned code host. Copilot pricing, Actions incidents, security research, and platform announcements.
A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.
GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?
Two of the most cautious C projects split on AI contributions in the same week. The real fight is over copyright provenance and who cleans up the slop.
Internal Claude Code licenses end June 30, 2026, for Microsoft's Experiences + Devices group. Engineers move to GitHub Copilot CLI instead.
Forrest Chang turned Andrej Karpathy's January coding thread into a 70-line CLAUDE.md. It now has 110,000+ stars and has trended on GitHub for 28 weeks.
GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.
GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.
Jarred Sumner merged the Bun-in-Rust PR on May 14, ending Zig as Bun's runtime language. Binary shrinks 3-8 MB; one analysis counted 13,000 unsafe blocks.
Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.
CEO Bill Staples announced a restructuring he frames around agentic AI, retiring GitLab's six core values for three new operating principles. Exact layoff numbers come June 2.
The PS3 emulator project posted on X on May 10, citing 'AI slop' that has been clogging review. The hard line: ban-on-sight if you don't disclose.
A two-line PR flipped the AI co-author flag from off to all in April. Hand-typed commits started getting Copilot attribution. The maintainer apologized and promised a fix in 1.119.
GitHub's new model multiplier table for Copilot Pro and Pro+ annual plans lands June 1. Opus 4.6 goes 3 to 27. Sonnet 4.6 goes 1 to 9.
Zed Industries shipped 1.0 on April 29 after five years of Rust and GPU work. Free forever for humans, with $10/month hosted AI and an open Agent Client Protocol.
Ghostty's creator has tracked GitHub outages every workday for months. After 18 years on the platform, he's moving the project. A read-only mirror stays.
CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.
On June 1 every Copilot plan switches to GitHub AI Credits priced per token. Code completions stay free. Fallback models and credit rollover do not.
GitHub froze Copilot Pro/Pro+/Student signups on April 20 and moved Claude Opus 4.7 behind the $39 Pro+ tier. Agent workflows broke the old math.
GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.
A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.
Ruby Central cut its executive director, CFO, and PR firm, and shifted to a volunteer working board. The April 16 letter closes the arc from September's RubyGems walkout.
Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.