devtake.dev
AI Security Hardware Open Source Policy Apple

#credential-theft

RSS
Related: #security · 14 #supply-chain · 14 #dev-tools · 4 #npm · 4 #ai-security · 3 #github · 3 #pypi · 3 #china · 2 #data-breach · 2 #malware · 2
Visual Studio Code logo on a dark background
Security·

VS Code's webview sandbox leaks GitHub tokens that read and write every private repo

A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.

Minecraft promotional artwork accompanying coverage of the WeedHack malware campaign
Gaming·

116,000 Minecraft PCs got infected by fake mods. The 'WeedHack' stealer is free to anyone.

McAfee says a free malware-as-a-service stealer called WeedHack has hit 116,000+ Minecraft systems via fake mods and cheats. Here's what it grabs and how to clean up.

A 7-Eleven storefront, the retail chain whose franchisee document store was breached and leaked.
Security·

ShinyHunters dumped 9.4GB of 7-Eleven franchisee data after a rejected ransom demand

ShinyHunters breached a 7-Eleven Salesforce instance holding franchisee documents, exposing 185,000 people. The 9.4GB archive hit a leak site after 7-Eleven declined to pay.

The Microsoft corporate logo, the brand the scam emails are spoofing through Microsoft's own legitimate notification infrastructure.
Security·

Scammers turned a Microsoft notification address into a spam relay. The emails pass SPF, DKIM, and DMARC.

Spammers found a Tenant Name injection in Entra ID that pushes fraud text into Microsoft's own OTP emails. The from-line reads [email protected].

GitHub security blog header showing the GitHub Octocat logo on a backdrop of black security blocks.
Security·

GitHub's internal repos were breached. The attacker came in through a poisoned VS Code extension.

GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.

CISA logo and seal of the U.S. Cybersecurity and Infrastructure Security Agency
Security·

A CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.

GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.

A technician at a server rack with a laptop, standing in for the SQL infrastructure Opexus ran for 45 federal agencies.
Security·

Twin contractors deleted 96 federal databases in 56 minutes. One asked an AI how to clear the logs.

A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'

TanStack website header with logo
Security·

TanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.

Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.

Illustration accompanying ChinaTalk's investigation into grey-market Claude API proxy networks
AI·

Chinese proxy networks sell Claude API access at 90% off. They harvest every prompt that passes through.

A ChinaTalk investigation reveals how 'transfer stations' resell Anthropic API access using stolen credentials, model substitution, and prompt harvesting.

Abstract visualization of data exposure through code
Security·

380,000 vibe-coded apps are sitting on the open web. 5,000 of them are leaking real data.

RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.

Illustration of students affected by a cybersecurity breach
Security·

ShinyHunters hit Canvas LMS for the second time. 275 million student records, 9,000 schools.

ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.

A padlock on a chain, illustrating credential security.
Security·

Microsoft Edge keeps every saved password in cleartext memory. Microsoft calls it 'by design'.

A researcher showed Edge decrypts the entire password vault at launch and leaves it in process memory. Chrome decrypts on demand. Microsoft says it's intentional.

Lightning AI logo on a dark background, illustrating the PyPI supply chain compromise of the lightning Python package.
Security·

Mini Shai-Hulud hit PyTorch Lightning. The 11.6M-download PyPI package shipped a credential stealer.

Two malicious lightning releases hit PyPI on April 30. The 42-minute window was enough to ship an RSA-encrypted infostealer to ML developers worldwide.

WatchTowr Labs disclosure illustration for the cPanel and WHM authentication bypass CVE-2026-41940
Security·

70 million domains had a no-password root bypass. cPanel rushed an emergency patch.

cPanel shipped fixes April 28 for a CVSS 9.8 auth bypass that walks attackers into shared-hosting panels with no password. WatchTowr says exploitation started before the patch.

Socket security research card promoting the CanisterWorm Namastex compromise analysis.
Security·

Another npm worm: CanisterWorm hits 16 Namastex packages and reaches PyPI on the same hop

Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.

Aikido Security illustration of the GPT-Proxy backdoor.
Security·

Malicious npm and PyPI packages turn dev servers into Chinese LLM proxies

Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.

Bitwarden CLI compromised by the Shai-Hulud npm worm
Security·

Bitwarden CLI got backdoored for 90 minutes. The worm calls itself 'Shai-Hulud: The Third Coming.'

A malicious @bitwarden/[email protected] hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.