Unofficial Postmark MCP npm silently stole users' emails
A npm package copying the official 'postmark-mcp' project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users' email communication. [...]
Stay informed about the latest Github infosec updates, security breaches, and protection strategies with our comprehensive information security news.
Search across headline titles and summaries.
Background for this topic.
GitHub is a hosted software-development platform built around Git repositories. It supports public and private source-code hosting, change review through pull requests, issue tracking, automated workflows, and package distribution. Its repositories and automation are important security assets because they can contain proprietary code, deployment instructions, credentials, and the components used to build released software.
Material risks include accidentally committing secrets, exposing private repositories through misconfigured permissions, and allowing compromised dependencies or workflow actions to run in trusted build environments. Pull requests from untrusted contributors can also become an execution path when workflows handle them unsafely. Security practice includes least-privilege access, strong authentication, protected branches and required reviews, secret scanning and rapid credential revocation, and auditing workflow permissions. Repository history, dependency metadata, and commit provenance can support vulnerability management and incident investigation, but deleting a leaked secret from the latest file does not remove it from historical commits or existing clones.
A npm package copying the official 'postmark-mcp' project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users' email communication. [...]
New campaign merges traditional malware with DevOps tools, using GitHub CodeSpaces for DDoS attacks
A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program. [...]
GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.
Hundreds of compromised packages pulled as registry shifts to 2FA and trusted publishing GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.…
GitHub is introducing a set of defenses against supply-chain attacks on the platform that led to multiple large-scale incidents recently. [...]
GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack
Threat actors are using a large-scale SEO poisoning campaign and fake GitHub repositories to deliver Atomic infostealers to Mac users.
LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [...]