GitHub MarketplaceimplicithighCluster of 3 signals
Card #1671 · GitHub Marketplace

Widespread supply chain attacks and repository compromises

We are seeing a surge in supply chain attacks where malicious code and VS Code extensions are used to steal credentials and secrets. These attacks compromise repositories by modifying GitHub Actions and pushing malicious code on behalf of the user, creating a cycle of infection.

GitHub MarketplaceUpdated Jun 5, 20260.17
Pain score
0.17/ 1.00 · weighted product of four components
Reach0.40
distinct authors (log-normalized)
Recency1.00
freshness decay, half-life months
Engagement1.00
upvotes + comments, normalized
Monetization0.50
willingness-to-pay cues in evidence
§ Evidence — 3 verified quotes
The malicious code steals your GitHub credentials and pushes malicious code to all your repos on your behalf, pretending to be you.
Reddit·@itsarnavsingh··source ↗
3,800 internal repositories to get exfiltrated because a single engineer just wanted a cool theme, an automated bracket-pair colorizer, or a random utility plugin from the marketplace.
Reddit·@No_Championship25··source ↗
there is widespread attack also going on all the github repos - its modifies your github action which steals all the secrets, envs and sends them to remote server
Reddit·@0xdps··source ↗

Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.

Upgrade to Pro