Clean GitHub repo tricks AI coding agents into running malware

An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious ...
cryptopolitan

Microsoft, Google patch flaws as Cordyceps spread across open-source repositories

Security researchers at Novee found over 300 exploitable CI/CD workflow chains across repositories belonging to Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. The flaws ...

GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK

GitHub confirmed attackers stole 3,800 internal repositories via a poisoned VS Code extension. The same threat group, TeamPCP, simultaneously compromised Microsoft's durabletask Python ...
CSOonline

Meet Fragnesia, the third Linux kernel vulnerability in a month

Linux admins reeling from handling last month’s CopyFail and last week’s Dirty Frag kernel vulnerabilities have a new headache to deal with: Fragnesia. “This is a significant vulnerability,” Robert ...
note

[Chapter 2 - Free Release] AI anticipates your typing Creating a Bollinger Band EA with VSCode and WindSurf ~ Let's graduate from browser-based Claude

I was the same way, so I understand—didn't you have these frustrations with the browser version of Claude? → Copying and pasting prompts every time is a hassle 💦 → Copying and pasting the completed ...
LinkedIn

Getting Azure Open AI Codex Models Actually Working in VSCode, OpenCode and Codex CLI (The Hard Way)

I spent far too long getting gpt-5.1-codex running on an Azure AI Foundry deployment on VSCode. It should have taken an hour. Here's everything I learned so you don't have to suffer the same way. The ...
Security Boulevard

GitHub Actions Supply Chain Attack: Trivy Breach & Workflow

The post GitHub Actions Supply Chain Attack: Trivy Breach & Workflow appeared first on Grip Security Blog. Since the end of February, the popular Trivy security scanner has been under attack. In ...
The Hacker News

$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation

Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken ...
GitHub

Solve LeetCode problems in VS Code

Note: If you are using leetcode.cn, you can just ignore this section. Recently we observed that the extension cannot login to leetcode.com endpoint anymore. The root cause of this issue is that ...
InfoQ

AI-Powered Bot Compromises GitHub Actions Workflows across Microsoft, DataDog, and CNCF Projects

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...
Bleeping Computer

VSCode IDE forks expose users to "recommended extension" attacks

Popular AI-powered integrated development environment solutions, such as Cursor, Windsurf, Google Antigravity, and Trae, recommend extensions that are non-existent in the OpenVSX registry, allowing ...