1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.

update: we've identified an attacker was able to access 14 bankr wallets. we've temporarily locked things down while we work through the details. we will be reimbursing any and all lost funds. will provide more updates as we have them.

re @bankrbot hack, ~$170K drained so far, here's my best guess as to what happened (with the help of Caddie) TLDR - multiple Bankr user wallets drained on May 19, 2026. looks like the attacker had direct signing access to Privy-managed embedded wallets — doesn't appear to be an approval exploit or smart contract bug. tokens were transferred out via direct transfer() calls, swapped to ETH, bridged Base → Ethereum mainnet, then distributed across multiple wallets - warning: not 100% certain Hypothesis 1/ Bankr uses Privy as a provider (Privy has sign-in with X) - session keys held on Bankr's backend, private keys compromised - Bankr-bot saying funds are safe isn't reassuring — they're likely just checking balances, unless they know exactly which keys got hit Hypothesis 2/ Privy itself - Privy is rock solid, I don't think it's them. more likely H1 what users should do. err on the side of caution - check your wallet for unauthorized transfers, you can do so on Basescan or using B3OS by talking to Caddie, just copy/paste your wallet into Caddie - report to Bankr Discord - move assets to fresh EOAs when withdrawals enable welcome any/all other theses!