Supply chain attack alert: .github/setup.js
Sentiment Mix
Geography
Expert Signals
antihero
author • 1 mention
Hacker News
source • 1 mention
AI-Generated Claims
Generated from linked receipts; click sources for full context.
Vectors are* Claude hooks* Gemini hooks* Cursor setup* VScode tasksIt adds all of the above to execute node .github/setup.js, an obfuscated file.Check infected: `rg --hidden --no-ignore 'node .github/setup.js`It spreads by adding mimic'd skip-ci commits to open PRs which then get merged.Payload is obfuscated, available on request.If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible.Still trying to identify the original source.
Supported by 1 story
Related Events
US Treasury Secretary warns bank CEOs on Anthropic's new AI model - Finextra Research
Security • 6/5/2026
AI is helping low-skill hackers pull off advanced cyberattacks - Help Net Security
Security • 6/5/2026
US judge suspends govt sanctions on AI company Anthropic - Digital Journal
Security • 6/5/2026
Anthropic sues Trump administration seeking to undo 'supply chain risk' designation - 6abc Philadelphia
Policy & Regulation • 6/5/2026
Buzzy Adds MCP Support, Bringing Governed Enterprise App Creation to Codex, Claude Code, Cursor, and AI Agents - AiThority
LLMs • 6/5/2026
Causality Chain
Preceded By