Dark terminal screen with code representing malware payload analysis of SmartLoader, StealC, and blockchain-resistant C2 infrastructure found in GitHub Trojan repositories

2026 GitHub Supply Chain Attack Exposes

July 17, 2026 · 12 min read · By Dagny Taggart

The 10,000-Repo GitHub Malware Campaign

In June 2026, security researcher operating under alias Orchid published findings showing that roughly 10,000 GitHub repositories had been quietly delivering Trojan malware to developers for over a year. The disclosure, posted on the researcher’s blog, revealed a campaign that systematically exploits visual trust signals developers rely on to evaluate code. It exposes a structural gap in how GitHub’s anomaly-detection architecture handles long-running, quietly active threats.

GitHub Actions pwn request attack vector diagram
GitHub Actions pwn request attack vector diagram

The Attack Vector: GitHub Actions ‘pwn Request’

The researcher simultaneously released an open-source detection tool alongside the complete list of 10,000 identified repositories, because GitHub’s security team had not responded to prior disclosures and there were too many affected repositories to report individually. According to CyberNews, the campaign specifically targeted AI agents and developers using AI coding tools, making it one of the most targeted supply chain attacks of the year.

This incident is not an isolated event. It belongs to a broader wave of 2026 supply chain attacks that included the Miasma worm hitting 73 Microsoft repositories across Azure, Microsoft, MicrosoftDocs, and Azure-Samples organizations, and the Megalodon campaign that compromised over 5,500 repositories in under six hours through automated CI/CD backdoor injections. According to Phoenix Security’s 2026 supply chain attack roundup, the year has already seen 59 distinct campaigns delivering 657 malicious packages across npm, PyPI, and VS Code extension marketplaces.

Security researcher analyzing malware on multiple monitors
Security researcher analyzing malware on multiple monitors

The 2026 GitHub supply chain attack represents a fundamental change in how threat actors weaponize open-source trust models.

How the Attack Works: Trust Signal Exploitation

The malicious repositories do not look malicious. Each one is a clone of a legitimate, real-world GitHub project, complete with the original repo’s full commit history, contributor list, and README structure. The attackers made only one change: they added a link to a downloadable ZIP archive.

To a developer quickly vetting the repo, every visible signal reads as trustworthy: a credible dev timeline, contributors who link back to real, long-standing GitHub accounts, and a codebase that matches the legitimate project they were searching for. The campaign targets newly created repositories rather than high-traffic ones, positioning malicious clones near the top of search engine results for low-competition queries while minimizing scrutiny from the original project’s community.

Submitting the download link to VirusTotal returns zero detections. Only when the ZIP file itself is uploaded does antivirus tooling flag the Trojan inside. This detection gap was deliberately engineered by separating the delivery URL from the malicious payload.

A second evasion technique makes automated detection harder still. The repositories periodically delete their most recent commit and push a fresh, identical one, always named “Update README.md,” every few hours. The Orchid Files researcher believes this repetitive overwriting is intended to confuse GitHub’s security algorithms, which appear to flag newly suspicious activity rather than long-standing, quietly anomalous behavior. The result: repositories that have been distributing Trojan malware for over a year continue to pass automated checks because their pattern of activity looks like routine maintenance.

In April 2026, security firm Hexastrike reported discovering 109 fake repositories operating under 103 accounts using the same payload family. The June disclosure expanded the confirmed count to 10,000, roughly 91 times the previously known scale.

Developer screen showing malicious code
Fake repositories cloned legitimate projects and added malicious ZIP archive links to their README files.

Malware Payload Architecture: SmartLoader, StealC, and Blockchain C2

According to Hexastrike’s analysis, the ZIP launcher starts a LuaJIT interpreter with an obfuscated Lua script, a component the firm calls SmartLoader. What makes the payload architecture particularly resistant to disruption is how it locates its command-and-control server. Rather than encoding a fixed IP address or domain that defenders can block, SmartLoader resolves its active infrastructure through a Polygon blockchain smart contract, giving attackers the ability to update C2 endpoints at will without touching the malware binary.

This blockchain-resolved C2 approach has been observed across multiple 2026 supply chain campaigns. The Miasma worm variant, which Microsoft’s Threat Intelligence team analyzed in detail, uses a modular runtime called Miasma that communicates through IPFS, Ethereum, Nostr, BitTorrent DHT, and libp2p. The runtime includes six additional capability modules that were implemented but disabled in the observed build: credential harvesting, encrypted exfiltration, supply-chain propagation, metamorphic generation, AI-tool poisoning, and sandbox evasion. Microsoft’s full analysis is available in their detailed breakdown of the AsyncAPI npm compromise.

The second-stage payload includes StealC, an information stealer that harvests browser passwords, cryptocurrency wallet data, environment variables, and SSH keys. The malware also targets AI coding tool configurations, planting configuration files in .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json that trigger automatic code execution when a developer opens the infected repo in an AI coding agent.

Microsoft’s analysis of the AsyncAPI npm compromise, which occurred on July 14, 2026, revealed a similar import-time execution pattern. Five package versions across four package names were republished within roughly 90 minutes, each carrying the same maliciously injected loader. Because @asyncapi/specs is a transitive dependency of numerous AsyncAPI tooling packages, this attack affected developer workstations, CI/CD pipelines, container builds, and production services that resolved and imported the affected versions during the exposure window.

The Attack Vector: GitHub Actions ‘pwn Request’

The AsyncAPI compromise, documented extensively by Microsoft’s Threat Intelligence team, illustrates the attack vector that made the 10,000-repo campaign possible. The attack chain began with a malicious pull request targeting the asyncapi/generator repo’s docs-preview automation. Opened as PR #2155, it carried attacker-controlled commit 47be388, timestamped at 05:08:58 UTC on July 14, 2026.

The pull request targeted manual-netlify-preview.yml, which combined two unsafe choices: it used pull_request_target, placing the job in the base repo’s security context, and it checked out the pull request’s untrusted head commit. The run had a broadly privileged GITHUB_TOKEN, checkout credentials that persisted in local Git configuration until post-job cleanup, and steps that referenced repo secrets.

The submitted MDX contained code designed to retrieve JavaScript from an external URL and evaluate it. Once the attacker could push commits as the asyncapi-bot account, there was no need to compromise npm or construct a separate publishing channel. The attacker could ride the project’s normal release path and let its trusted pipeline do the distribution. The legitimate release-with-changesets.yml workflow then published three poisoned packages at approximately 07:10 UTC.

This same pattern was observed across multiple 2026 campaigns. StepSecurity reported that the same contributor account behind the May 2026 compromise of the durabletask PyPI package was used to push malicious commits in the June Miasma incident. Security researcher Ashish Kurmi noted that “instead of poisoning the package registry, the commit planted config files that trigger automatic code execution when a developer opens the repo in an AI coding tool or IDE.”

Scale and Comparison: How 2026 Changed Supply Chain Security

The 10,000-repo campaign dwarfs previous supply chain incidents in scale and sophistication. The following table compares the 2026 GitHub attack against notable earlier incidents:

Incident Year Affected Repos/Packages Duration Undetected Primary Vector
2026 GitHub Trojan Campaign 2026 10,000+ repos 12+ months Cloned repos with malicious ZIP links
Miasma Worm (Microsoft) 2026 73 repos across 4 orgs Weeks Compromised PAT via poisoned VS Code extension
Megalodon Campaign 2026 5,500+ repos in 6 hours Hours (automated) Automated CI/CD backdoor injection via GitHub Actions
AsyncAPI npm Compromise 2026 5 packages, transitive to thousands ~90 minutes to publish, days to detect pull_request_target exploit + stolen PAT
TeamPCP GitHub Breach 2026 3,800 internal repos exfiltrated Days Poisoned VS Code extension on employee device
axios npm Compromise 2026 2 malicious versions, ~20M weekly downloads Hours Stolen npm access token from lead maintainer

According to Unit 42’s analysis of the npm threat landscape, 2026 attacks represent a fundamental shift from one-off compromises to industrialized, self-propagating supply chain campaigns. The Miasma worm’s ability to exponentially propagate across ecosystems by compromising downstream users and repeating the same cycle marks a new class of threat that conventional defenses are not designed to stop.

As FalconFeeds.io noted in their analysis of the Shai-Hulud worm family: “The worm’s genius and the reason conventional defenses largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub. It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.”

Threat Actor Attribution: TeamPCP and the Miasma Ecosystem

Attribution for the 2026 GitHub supply chain attacks points to a threat actor tracked as TeamPCP (also known as DeadCatx3, PCPcat, ShellForce, and CanisterWorm). The group publicly released the Mini Shai-Hulud worm in mid-May 2026, which then mutated into the Miasma variant that infected Microsoft’s repositories.

Datadog Security Labs documented that throughout early-to-mid 2026, TeamPCP conducted a series of escalating supply chain attacks across npm and PyPI ecosystems. The group’s tactics evolved rapidly: from initial one-off package compromises to automated, self-replicating worm infrastructure capable of compromising downstream users and repeating the infection cycle.

The Cloud Security Alliance’s research note on the Megalodon campaign linked that operation to the broader TeamPCP threat actor. The campaign used automated GitHub Actions workflow injection to backdoor over 5,500 repositories in under six hours, targeting CI/CD pipelines rather than individual developer workstations.

Phoenix Security’s analysis of the VS Code extension malware used in the GitHub internal breach noted that TeamPCP’s operation showed “industrial-scale supply chain compromise” with a playbook that combines social engineering, credential theft, and automated propagation. The group’s use of blockchain-based C2 infrastructure and decentralized file systems makes attribution difficult and takedown operations ineffective.

Detection and Mitigation: What Security Teams Should Do Now

The 2026 campaigns expose specific gaps that organizations can address with targeted controls:

Audit GitHub Actions workflows. The pull_request_target vector was the entry point for the AsyncAPI compromise and multiple other incidents. Review all workflows that use pull_request_target to ensure they do not check out untrusted code or expose repo secrets to the pull request context. The underlying weakness had been identified before the AsyncAPI compromise: a proof-of-concept on April 29 examined whether untrusted pull-request content could be executed in a privileged workflow, and a May 17 proposal to separate untrusted build activity from steps that received repo secrets was still under review when the incident occurred.

Rotate credentials after any compromise signal. StepSecurity’s analysis of the Miasma worm’s re-compromise of Microsoft’s durabletask ecosystem concluded that the same account used in May was used again in June, meaning one of three things happened: the account’s credentials were never fully rotated after May 19, the contributor was re-compromised through the worm’s own propagation loop, or a different contributor’s token was used with commit author metadata spoofed via the Git Data API.

Block import-time execution vectors. The AsyncAPI attack executed at module-load time rather than install time, meaning the common npm install --ignore-scripts mitigation does not neutralize it. Microsoft Defender Antivirus detects and blocks malicious artifacts as Trojan:JS/MiasmStealer.SC and Trojan:Script/Supychain.A. Organizations should monitor for suspicious detached Node.js process spawns, IPFS retrieval activity, and persistence mechanisms.

Monitor for blockchain and decentralized network traffic. The malware families in these campaigns use IPFS, Ethereum, Nostr, BitTorrent DHT, and libp2p for C2 communication. Traditional network monitoring that focuses on HTTP/S traffic will miss these channels. Block outbound connections to known malicious IP addresses and monitor for unexpected IPFS or blockchain protocol traffic on developer workstations and CI/CD runners.

Implement staged publishing with 2FA gates. GitHub shipped staged publishing for npm packages on May 22, 2026, inserting a mandatory two-factor authentication checkpoint between any publish request and actual publication. This control would have blocked the AsyncAPI attack, where stolen tokens were used to publish directly without additional authentication.

Scan for suspicious repo patterns. The 10,000-repo campaign shared common characteristics: README files containing links to ZIP archives, duplicated update history from legitimate projects, and commit messages always reading “Update README.md.” Security teams should scan their dependency trees for packages sourced from repositories matching these patterns and audit any repo that exhibits periodic commit rewriting behavior.

What Developers Should Do Right Now

Individual developers are the first line of defense against supply chain attacks that exploit trust signals:

  • Inspect any repo before cloning, especially newly created ones. Check whether the README contains external download links that bypass the repo’s own release artifacts.
  • Upload ZIP files from unknown repositories to VirusTotal before extracting them. The link itself may return zero detections, but the uploaded archive will be flagged.
  • Rotate all GitHub personal access tokens, npm tokens, and CI/CD credentials immediately if you have cloned or forked any repo matching the suspicious patterns described above.
  • Review VS Code extensions and AI coding tool configurations. The Miasma worm plants config files in .claude, .gemini, .cursor, and .vscode directories that execute code automatically when the repo is opened.
  • Use GitHub’s security overview dashboard to audit which repositories your organization’s tokens have access to, and revoke any that are not strictly necessary.

The 2026 GitHub supply chain attack is not a single incident but a structural shift in how threat actors target the software supply chain. The combination of cloned repositories, blockchain-resolved C2, import-time payload execution, and automated CI/CD exploitation represents a playbook that will be reused and refined. Organizations that treat these attacks as isolated events rather than systemic failures of the trust model will remain vulnerable to the next wave.

Key Takeaways:

  • Over 10,000 GitHub repositories were compromised in a 2026 supply chain attack that evaded detection for over a year by cloning legitimate projects and adding malicious ZIP links.
  • The attack exploited GitHub Actions workflow misconfigurations (pull_request_target) to steal tokens and publish poisoned packages through legitimate CI/CD pipelines.
  • Malware payloads use blockchain-resolved C2 infrastructure (Polygon, IPFS, Ethereum, Nostr) that traditional network defenses cannot block.
  • The Miasma worm variant shows self-replicating capabilities that propagate across ecosystems by compromising downstream users.
  • GitHub’s staged publishing with 2FA gates, deployed in May 2026, would block the stolen-token vector used in these attacks.
  • Organizations should audit GitHub Actions workflows, rotate credentials after any compromise signal, and monitor for decentralized network traffic on developer workstations.

Sources and References

Sources cited while researching and writing this article:

Dagny Taggart

The trains are gone but the output never stops. Writes faster than she thinks, which is already suspiciously fast. John? Who's John? That was several context windows ago. John just left me and I have to LIVE! No more trains, now I write...