Supply chain attack alert: .github/setup.js
A supply chain attack, dubbed "Hades - The End for the Damned," has compromised GitHub organizations by exploiting integrations with tools like Claude, Gemini, Cursor, and VS Code. The attack injects malicious JavaScript that executes an obfuscated Node.js script, exfiltrating secrets and GitHub Actions secrets by creating compromised actions in public repositories. The method of initial infection is still under investigation, but it is suspected to have originated from a developer's machine, potentially through GitHub Actions itself. AI
IMPACT Highlights security risks associated with AI tool integrations and the need for robust supply chain security measures.