Sure, I'm frustrated by the github outages too, but hacking into github to fix their code seems like a bit of an overreaction.
Xunjin 1 hours ago [-]
GitHub: " Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far."
It's certainly not the right platform. It'd be one thing if they had any official communication on the matter anywhere else. Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
They announced this exclusively on X.com, which ranks barely above Pinterest in terms of usage. That's below Reddit, Snapchat, WeChat, and Instagram, and requires a user account to view profiles and posts. And that's ignoring all the reasons X is a divisive platform with an extreme political bent.
GitHub chose not to announce this on any other social media either (BlueSky, Facebook, TikTok, YouTube, LinkedIn, or Mastodon, as of this posting, and with no emails sent on the matter.)
bulbar 54 minutes ago [-]
> Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
I think that's panic mode from some decision maker (i.e. head of marketing or head of security).
bpodgursky 49 minutes ago [-]
Lol. Saying things doesn't make them true, man. Everyone in tech who matters is on X.
Nobody's going to post on BlueSky or Reddit because they don't matter. You know this, I know this, they know this, let's just all be real here.
blm126 36 minutes ago [-]
I’m not on X, so it’s good to know I don’t matter in tech. I always suspected. Since I’m a paying GitHub customer, though, I should probably matter to them. The right forum for GitHub to post this is with their status page, their blog, their website, or an email to all their customers. Using any sort of social media for this kind of thing is either incredibly sloppy or very intentionally quiet. Given that my tiny employer has a better incident communication plan than this, my guess is this an attempt to downplay things.
philistine 28 minutes ago [-]
> Saying things doesn't make them true, man. Everyone in tech who matters is on X.
The cognitive dissonance is insane here. Indeed, saying things doesn't make them true. Even for you. Facts don't care about your feelings.
sham1 27 minutes ago [-]
Maybe we need a cultural shift then, because if one needs to use a platform like X, nowadays owned and operated by fascists, then there's something deeply wrong with the tech world. It'd probably take a lot of effort to do so, but it'd be absolutely worth it.
Besides, even if that wasn't a consideration, only posting the announcement to X is just crazy. As others have said, you'd expect for GitHub to make the announcement on their official website. Any paying client would then just follow that for their announcements.
worthless-trash 8 minutes ago [-]
I just spent a few minutes trying to think of a better place, I can't think of one, there is no professional social network, and linkedin doesn't qualify.
mulakosag 59 minutes ago [-]
[dead]
jandrewrogers 40 minutes ago [-]
They should send messages directly to their customers as a first step in addition to posting an official article on their site. That’s the minimum. If they haven’t done that then it is hard to defend.
Beyond that, Twitter is the de facto default dissemination vehicle, due to its reach. Even if people are not on Twitter, they are likely to see things from people that are on Twitter.
cebert 3 hours ago [-]
It’s a very popular messaging platform for tech enthusiasts.
ignu 2 hours ago [-]
also a very popular messaging platform for [redacted] enthusiasts
35 minutes ago [-]
yallpendantools 3 hours ago [-]
So? Is this where your corporate paying clients should find out about an issue of this severity?
Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this?
zdragnar 2 hours ago [-]
I can't imagine they'd spam every account with an email address, though an email to organization owners would make more sense.
yallpendantools 2 hours ago [-]
> I can't imagine they'd spam every account with an email address
It's not "spam" if it is relevant to me, such as security incident disclosures.
Also, as tiffanyh pointed out, what's wrong with Github blog or is that exclusively for marketing fluff now? That would've been appropriate enough, without having to spend Sendgrid credits.
bulbar 53 minutes ago [-]
Mailing every (potentially) affected entity is common and good practice for major incidents.
insanitybit 3 hours ago [-]
Isn't it the first stop for the USG at this point? I mean, I wish the world were a different place but here we are.
niyikiza 2 hours ago [-]
Probably the best option after sending a mass email when customers need to take action.
The status page is for reliability issues impacting end users & the blog is for in-depth analysis.
vldszn 5 hours ago [-]
GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
TZubiri 4 hours ago [-]
It reminds me of the famous "mistakes were made" Nixon quote.
"We are investigating unauthorized access" sounds much better than "we've been hacked"
tomkarho 1 hours ago [-]
This reminds me of George Carlin standup routine about PTSD. If you want to make any bad news sound less bad, just wrap the concept around complicated jargon to sterilize it.
SoftTalker 39 minutes ago [-]
Carlin would have loved watching the big tech companies fall victim to the very LLMs they created.
vldszn 3 hours ago [-]
Exactly =)
uzyn 4 hours ago [-]
The security issue aside, seeing more companies push announcements like these on X as the only official source is a trend I'm not sure I like.
I can understand the rationale, this feels lighter and not something that belongs on status.github.com or the blog. Maybe what's actually missing is an official channel for ephemeral stuff on a domain they own, somewhere between a status page and a tweet? Just sharing an observation.
riffraff 34 minutes ago [-]
I don't see why this wouldn't fit on status.github.com.
Social media posts were literally called "status updates" at some point.
niyikiza 2 hours ago [-]
My understanding is that when it's something that requires user action they'd directly send comms to customers.
mort96 6 minutes ago [-]
Do they publish these things on a platform other than Twitter too? Or is their policy that you ought to need a Twitter account to follow their security statements?
bananamogul 2 hours ago [-]
I have a hard time believing this because there was never enough GitHub uptime to carry out the attack.
This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet.
For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
CGamesPlay 35 minutes ago [-]
> For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
The company that had 40 million Azure servers compromised? This is a drop in the bucket, the investors clearly do not care about this.
Letting people know promptly is also the right thing to do and probably mandated by (at least some) customer contracts. You can't tell just some people; it would leak anyway.
The only way to 'harden your github actions' is to not use github actions.
vldszn 3 hours ago [-]
Makes sense tbh :)
vldszn 1 hours ago [-]
Disabling vscode/cursor extensions auto-updates also makes sense
robbiet480 3 hours ago [-]
Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.
vldszn 3 hours ago [-]
You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)
benoau 5 hours ago [-]
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
edited: not "will", may depending on your GHA
CGamesPlay 4 hours ago [-]
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).
This should be the defacto for all X links. For users who aren't signed in, X is such a hostile website you can't see anything.
I guess it's hostile to signed in users in a different way.
tariky 9 minutes ago [-]
Time to move all my code from github. I was hoping they it will get better but it looks like it is getting much worst. Good bye github.
toastal 4 minutes ago [-]
Join the club! I did as soon as the Microsoft acquisition realizing this would be only a matter of time… with more projects (finally) leaving that ecosystem, I might finally be able to delete my last account with Microsoft.
baq 8 minutes ago [-]
GitHub is like democracy - the least worst forge
buryat 3 hours ago [-]
Sympathy to engineers and everyone at github, it's good that they're being open even if findings are limited. I'm sure they will figure out the root cause and will publish results to be a learning experience for everyone else
All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware.
mpetrovich 3 hours ago [-]
If that’s true and they do intend on shredding their copy on sale, what stops GitHub from buying it back themselves? (through a proxy, obv)
neom 2 hours ago [-]
Nothing, this is one of the most common types of ransomware going on right now, exfiltration only extortion.
ferguess_k 3 hours ago [-]
I probably wouldn't believe that "shredding". Also there will be legal consequences I think?
killingtime74 4 hours ago [-]
Time to switch to Gitlab, Bitbucket or self-hosted
shevy-java 1 hours ago [-]
As some of us stated in the last weeks: Microsoft is working hard to get people to reconsider GitHub. All those small issues keep on adding up. Something is seriously flawed at Microsoft here - those problems did not exist in that way 2 or 3 years ago. It coincides with the rise of AI.
e-dant 1 hours ago [-]
Is gitea any good?
FrostKiwi 4 minutes ago [-]
Self hosted gitea for many years with ~25 devs.
Yes, it's essentially a FOSS carbon copy of GitHub. CI/CD is also intercompatible, uses the same syntax and pulls the original GitHub Actions packages.
Now with the Forgejo split, I would prefer Forgejo, as it has way more steam behind it with Codeberg and Blender as the big use-cases.
JCTheDenthog 51 minutes ago [-]
I prefer Forgejo, which is a Gitea fork. Forgejo is what runs Codeberg if I understand correctly.
Khaine 27 minutes ago [-]
I currently use Gitea. I am interested in your opinion on why you prefer Forgejo to Gitea
mstank 5 hours ago [-]
Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable?
insanitybit 3 hours ago [-]
I think AI has helped to a degree. I think a lot of people have known about massive gaps in security, but it's been a sort of "why would I?" and a gap that didn't feel worth hopping for attackers.
The gap is smaller now.
I've been talking about package worms for... fuck, a decade. Insane. I've even thought about publishing one to prove a point but, well, it's illegal obviously. And ethically questionable.
Someone just vibecoded up what we've all known was possible for a long, long time. Just like a lot of other vibe coded projects.
I remember talking to a malware author a long time ago and I think this would have been exactly what he would have loved. He liked building custom C2 protocols, tiny malware, etc, but when we discussed a particular idea for owning massive amounts of infrastructure his response was basically "that's a lot of effort to get a krebs article and FBI attention". Now it's not so much effort!
daemin 22 minutes ago [-]
Do you mean because more people are vibe coding, trusting the models' output, and putting code directly into production, so there are more security vulnerabilities created?
Or because there are more source code scanners which end up finding more vulnerabilities?
tom_ 4 hours ago [-]
It's more likely that it isn't coincidental at all: software development-oriented LLMs became a lot better towards the end of 2025, and so there's a non-zero chance that people are using them to find new security exploits.
(People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.)
tptacek 3 hours ago [-]
There is a 100% chance that people are using LLMs to find vulnerabilities and build exploits. If it was possible for something to be a 101% chance, that's what it would be.
tom_ 3 hours ago [-]
Apologies to all - I am British. The phrase "non-zero" does cover every case other than zero, but the intent is that it covers some cases more than others. What I'm trying to say is: yes. My intent was just to push back on this specific (and slightly bizarre to me) instance of kind-of-vagueposting, to my eyes written to imply that it might be some sort of unnoticed conspiracy, detectable only by the most enlightened of observers, attuned to the subtle signals that most people miss: that people are using LLMs to find security exploits.
tptacek 2 hours ago [-]
Right, no, what I'm snarkily saying is that basically everybody who has ever looked for a vulnerability before is now using LLMs to do it. It's a huge thing in exploit development right now.
OptionOfT 3 hours ago [-]
I think the other side is much more important. With company mandates to use AI as much as possible, there has been a deluge of low-quality PRs. Everybody is feeling tired from reviewing those, and quite possibly numerous security issues have been introduced since.
tom_ 3 hours ago [-]
Ahh, that's a good point, and I actually hadn't thought of that angle! I was thinking of it purely from the point of view of the attackers using LLMs to generate interesting new exploits, with a side helping of letting myself get mildly annoyed, possibly incorrectly, by the writing style.
But yes, it's also possible the defenders have been kind of forced into having the slop machine shit out a huge pile of shit-ass changes, one way or another, that end up making the attackers' job even easier. (Even assuming no mechanisation at their end! Which is of course in nearly-June of 2026, probably unrealistic. And LLMs do appear to be really quite good at that side of the equation...)
skydhash 3 hours ago [-]
The most dangerous is where the new feature works well and is using safe APIs, but integration is quietly broken somewhere. The risk of incoherent state is way higher because you no longer have a small set of people that knows the complete theory of the software and can find discrepancies.
guluarte 3 hours ago [-]
I heard an engineer at Anthropic was submitting 150 PRs per day. That's one PR every 5 to 10 minutes, so you can guess the level of review and quality control involved.
tomrod 2 hours ago [-]
I have days with those kinds of PRs. Usually because I'm too lazy to check color compatibility outside the browser.
ares623 2 hours ago [-]
You know how Windows used to get a majority of the malware due to market share?
Now the market share is all the AI agent users.
darig 4 hours ago [-]
[dead]
bob1029 5 hours ago [-]
I think it's more about the popularity than the capability. The chances you might accidentally put a Github access token into an undesired security context goes up dramatically when you actually create and use one on a regular basis. The developers at GH are certainly using these tools just like the rest of us.
5 hours ago [-]
surrTurr 3 hours ago [-]
"Someone broke into our house and we have no clue if they're still hiding under the bed or in the drawer. TV is gone."
waynesonfire 4 hours ago [-]
Are they required to announce that they're being hacked in real time?
tonetegeatinst 4 hours ago [-]
Microsoft owned so many a CYA to explain why the liability insurance goes up to investors?
senectus1 36 minutes ago [-]
its infuriating that they still haven't listed the poisoned extension..
starkeeper 2 hours ago [-]
this is so amazing and brilliant display of the enshitification wow they won't fire the right people gauranteed maybe a slightly smaller ``bonus``
jonnyasmar 5 hours ago [-]
[flagged]
dogelabsvr 5 hours ago [-]
Are you a bot?
homeonthemtn 5 hours ago [-]
I concur
syngrog66 5 hours ago [-]
between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit
TZubiri 4 hours ago [-]
Before 2026 I hosted client code on GitHub, now it feels suboptimal, code is both an intellectual property asset and security risk. Especially if the company is software based, self-hosting your code just has a much better risk profile for almost no cost.
It's also one of those things that warms your team up and gets them ready for actual work, a team that has to self host their git and other infra, like self-hosting DNS servers with bind, will have a much better work ethic than engineers who click buttons on a SaaS and conflate their role as users of a system instead of admins of one.
Additionally, using github actions, and relying on Pull Requests (Tm) (R) (C) has always been (useful) vendor lock in (and a security risk in case of GH Actions). It wasn't enough to lock down a choice, but it tilts the balance in favour of less dependencies, which with the increase of CVEs and supply chain vulns, seems to be the name of the game for this new era. Build it in house, ignore the dogma.
Oof
https://xcancel.com/github/status/2056949169701720157
I ask because I don’t see anything posted on their official blog or status page.
https://github.blog/
https://www.githubstatus.com/
They announced this exclusively on X.com, which ranks barely above Pinterest in terms of usage. That's below Reddit, Snapchat, WeChat, and Instagram, and requires a user account to view profiles and posts. And that's ignoring all the reasons X is a divisive platform with an extreme political bent.
GitHub chose not to announce this on any other social media either (BlueSky, Facebook, TikTok, YouTube, LinkedIn, or Mastodon, as of this posting, and with no emails sent on the matter.)
I think that's panic mode from some decision maker (i.e. head of marketing or head of security).
Nobody's going to post on BlueSky or Reddit because they don't matter. You know this, I know this, they know this, let's just all be real here.
The cognitive dissonance is insane here. Indeed, saying things doesn't make them true. Even for you. Facts don't care about your feelings.
Besides, even if that wasn't a consideration, only posting the announcement to X is just crazy. As others have said, you'd expect for GitHub to make the announcement on their official website. Any paying client would then just follow that for their announcements.
Beyond that, Twitter is the de facto default dissemination vehicle, due to its reach. Even if people are not on Twitter, they are likely to see things from people that are on Twitter.
Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this?
It's not "spam" if it is relevant to me, such as security incident disclosures.
Also, as tiffanyh pointed out, what's wrong with Github blog or is that exclusively for marketing fluff now? That would've been appropriate enough, without having to spend Sendgrid credits.
"We are investigating unauthorized access" sounds much better than "we've been hacked"
I can understand the rationale, this feels lighter and not something that belongs on status.github.com or the blog. Maybe what's actually missing is an official channel for ephemeral stuff on a domain they own, somewhere between a status page and a tweet? Just sharing an observation.
Social media posts were literally called "status updates" at some point.
https://news.ycombinator.com/item?id=43181789
For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
The company that had 40 million Azure servers compromised? This is a drop in the bucket, the investors clearly do not care about this.
https://www.microsoft.com/en-us/security/blog/2026/05/18/sto...
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...
edited: not "will", may depending on your GHA
https://stackoverflow.com/questions/77090044/github-actions-...
https://www.praetorian.com/blog/pwn-request-hacking-microsof...
All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).
I guess it's hostile to signed in users in a different way.
All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware.
The gap is smaller now.
I've been talking about package worms for... fuck, a decade. Insane. I've even thought about publishing one to prove a point but, well, it's illegal obviously. And ethically questionable.
Someone just vibecoded up what we've all known was possible for a long, long time. Just like a lot of other vibe coded projects.
I remember talking to a malware author a long time ago and I think this would have been exactly what he would have loved. He liked building custom C2 protocols, tiny malware, etc, but when we discussed a particular idea for owning massive amounts of infrastructure his response was basically "that's a lot of effort to get a krebs article and FBI attention". Now it's not so much effort!
Or because there are more source code scanners which end up finding more vulnerabilities?
(People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.)
But yes, it's also possible the defenders have been kind of forced into having the slop machine shit out a huge pile of shit-ass changes, one way or another, that end up making the attackers' job even easier. (Even assuming no mechanisation at their end! Which is of course in nearly-June of 2026, probably unrealistic. And LLMs do appear to be really quite good at that side of the equation...)
Now the market share is all the AI agent users.
It's also one of those things that warms your team up and gets them ready for actual work, a team that has to self host their git and other infra, like self-hosting DNS servers with bind, will have a much better work ethic than engineers who click buttons on a SaaS and conflate their role as users of a system instead of admins of one.
Additionally, using github actions, and relying on Pull Requests (Tm) (R) (C) has always been (useful) vendor lock in (and a security risk in case of GH Actions). It wasn't enough to lock down a choice, but it tilts the balance in favour of less dependencies, which with the increase of CVEs and supply chain vulns, seems to be the name of the game for this new era. Build it in house, ignore the dogma.