Four Credential-Harvesting Campaigns Hit Open Source Ecosystems in Two Weeks
ID: c4d03729-f197-551d-9a3a-21db98bc82b6
STIX ID: report--c4d03729-f197-551d-9a3a-21db98bc82b6
Feed Name: Security Boulevard
Four near-simultaneous credential-harvesting campaigns (May–June 2026) targeted open-source ecosystems — backdooring 5,561 GitHub repositories, poisoning 700+ Composer package versions, publishing malicious packages across npm/PyPI/Crates.io, and compromising 96 versions of Red Hat npm packages — to exfiltrate CI/cloud credentials, SSH keys, tokens, and secrets using GitHub Actions payloads, tag rewriting, ecosystem-specific execution hooks, and account takeover; organizations are advised to inventory secret exposure and rotate compromised credentials.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.