Four Credential-Harvesting Campaigns Hit Open Source Ecosystems in Two Weeks
The pace is not slowing down. Between May 18 and June 1, 2026, four distinct supply chain campaigns swept through npm, PyPI, Crates.io, GitHub Actions, and Composer.
Grafana and GitHub Breached: The Risk When Private Code Leaks
Code from GitHub and Grafana is in criminal hands. Secrets buried inside could open doors no one is thinking of protecting yet, and AI will make hunting 0-days in that private code faster than ever.
Mini Shai-Hulud: A persistent supply-chain worm
A self-replicating worm is actively compromising packages with 3M+ weekly downloads, hijacking tokens from CI/CD pipelines, and bypassing trusted publishing protections.
@bitwarden/cli - GitGuardian Views on helloworm00
GitGuardian analysis of the @bitwarden/cli compromise: GitHub used as C2, new Cloudflare exfiltration domain found, linked to April 22 Checkmarx KICS compromise via Dependabot.
No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours
Three supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, 2026. All three targeted secrets: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD pipelines.
Vercel April 2026 Incident: Non-Sensitive Environment Variables Need Investigation Too
Vercel's Context.ai breach exposed environment variables that weren't marked sensitive. Learn how to pull and scan your secrets with GitGuardian.
Renovate & Dependabot: The New Malware Delivery System
Recent supply chain attacks stayed live for hours. Automation tools silently merged their malware in minutes. Read how upgrade bots and AI agents became the insider threat.
The Team PCP Snowball Effect: A Quantitative Analysis
Supply chain attacks cascade through ecosystems in ways traditional metrics hardly capture. GitGuardian evaluates the PCP Team incidents and finds damage spread to thousands of public targets.
How GitGuardian Enables Rapid Response to the LiteLLM Supply Chain Attack
Learn how to detect compromise, assess your exposure to the LiteLLM supply chain attack, and use GitGuardian to orchestrate rapid incident response and secret remediation.
Trivy’s March Supply Chain Attack Shows Where Secret Exposure Hurts Most
The Trivy story is moving quickly, and the latest reporting makes one thing clear: this is no longer just a GitHub Actions tag hijack. What started as a compromise of trivy-action, setup-trivy, and the v0.69.4 release has expanded into malicious Docker Hub images.
Honeytokens on the Developer Workstation: When Cleanup Takes Time
Plaintext secrets on developer machines create real supply chain risk. Honeytokens provide early detection while stronger identity-based controls are rolled out.
![Shai-Hulud 2.0 Exposes Over 33,000 Unique Secrets [Updated Nov, 27]](https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/size/w600/2025/11/shai-hulud--2--1.png)
Shai-Hulud 2.0 Exposes Over 33,000 Unique Secrets [Updated Nov, 27]
On November 24, a new wave of the Shai-Hulud supply chain attack emerged. The threat actors exfiltrate stolen credentials directly to GitHub repositories created with compromised tokens.
