GitHub, the world's biggest code repository and DevOps platform, fell victim to a malicious Visual Studio Code (VS Code) extension. The company's initial assessment is that only internal repositories were exfiltrated. The incident was reported by GitHub on X, with follow-up posts revealing a "poisoned VS Code extension" as the cause. The Microsoft-owned code shack continues to "analyze logs, validate secret rotation, and monitor for any follow-on activity."
“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS [Visual Studio] Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” GitHub said.
Quantum Bridge announced on Wednesday that it has raised $8 million in Series A funding for its quantum-safe key distribution solution. The new funding, which brings the total raised by the company to $16 million, was supported by Wayra (Telefónica), Cadenza VC, Club degli Investitori angels, HPE, and Bacchus Venture Capital.
An attacker compromised an administrative key tied to Echo Protocol’s deployment on the Monad blockchain network and used it to mint 1,000 eBTC tokens valued at about $76.7 million. The attacker granted their own wallet minting privileges, then deposited 45 eBTC as collateral into the Curvance decentralized lending protocol. Using that collateral, the attacker borrowed 11.29 WBTC, bridged the borrowed assets to Ethereum, swapped them for ETH, and sent about 385 ETH into Tornado Cash.
Grafana has confirmed that an unauthorized party gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download parts of its codebase. In a public statement shared on X, the company said its investigation found no evidence that customer data or personal information was accessed and that no evidence that customer systems or operations were affected. The breach was discovered after unusual activity triggered a forensic investigation.
Analyst Eric Heath raised the firm’s price target on Okta to $103 from $95 and kept an Overweight rating on the shares, citing a sharper outlook for enterprise security spending in the back half of the year.
According to TrendAI's Zero Day Initiative (ZDI), white hat hackers have been awarded $1,298,250 for 47 unique vulnerabilities. Nearly $750,000 of the total amount was won by the first two teams: Devcore and StarLabs SG. The two teams also received the highest payouts for a single exploit chain. Devcore earned $200,000 for a remote code execution exploit with System privileges on Microsoft Exchange, and $175,000 for a Microsoft Edge sandbox escape. It also received $100,000 for exploiting Microsoft SharePoint.
