Supply chain attack alert: .github/setup.js

antihero 20 points 10 comments June 05, 2026
View on Hacker News

Our org GitHub just got compromised massively by a supply-chain attack. Vectors are * Claude hooks * Gemini hooks * Cursor setup * VScode tasks It adds all of the above to execute node .github/setup.js, an obfuscated file. Check infected: `rg --hidden --no-ignore 'node .github/setup.js` It spreads by adding mimic'd skip-ci commits to open PRs which then get merged. Payload is obfuscated, available on request. If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible. Still trying to identify the original source.

Discussion Highlights (5 comments)

gionn

Made a quick script to find affected repos/branches and optionally wipe the commits which contains malware: https://github.com/gionn/malware-cleanup/blob/master/scanner...

nikita2206

Did you dig anything on where it came from for you? Some NPM package?

antihero

Attack is called "Hades - The End for the Damned", it exfiltrates secrets including ALL ORG GITHUB ACTIONS SECRETS via creating compromised actions, through GitHub public repos with encrypted payloads.

thejaybird

For me i feel the attack vector is Public repo > infect by merge > github runner picks up and gets infected > and github action (from a repo) that then runs on runner getw effected

christeamrs

FYI we released a discovery and mitigation tool today: https://github.com/Team-Rockstars-Security/antimiasma

Related Discussions

Found 5 related stories in 107.9ms across 10,002 title embeddings via pgvector HNSW

Semantic search powered by Rivestack pgvector
10,002 stories · 93,925 chunks indexed