NextGenRails™

1

152

NextGenRails™@NextGenRails·2h

@evilmartians The systemic approach needs one more layer. Cryptographic proof of what your stack looked like before the attack happened. Every mitigation you implement is reactive. A pre-incident receipt is the only thing that answers what existed before. cbomcompliance.com

English

@[email protected]@sitnikcode

8

Evil Martians@evilmartians·8h

We take supply chain attack mitigation seriously. Since 2024, we've adopted this systematic approach to improve our own and our clients' code protection.

Supply chain attacks can’t be solved with one silver bullet. They need a systemic approach. For every dev layer (not just npm, but CI, Docker, and your editor) ask 4 questions: 1. How can we reduce dependencies? 2. Isolation 3. Update control 4. Review Thread ↓

English

4

1

6

791

NextGenRails™@NextGenRails·4h

When attackers steal your code, they have it. That's done. You can't undo it. dev.to/nextgenrails-a…

English

12

NextGenRails™@NextGenRails·4h

@github When attackers steal your code, they have it. That's done. You can't undo it. But here's what most organizations can't answer after a breach. What exactly was in those repositories before the attack? Was the stolen code already vulnerable, or did the attacker introduce something? Were you compliant before this happened? Can you prove any of it? To regulators, to insurers, to customers, to a federal court. You can't prove it with logs. Logs can be tampered. You can't prove it with memory. Memory is not evidence. You can't prove it with a claim. A claim is not proof. The only thing that holds up is a cryptographic receipt. A mathematically signed, timestamped, independently verifiable record of exactly what existed before the access window opened. That's your safe harbor. That's your litigation defense. That's the difference between an organization that can demonstrate pre-incident compliance and one that is guessing in front of a regulator. EO 14028, the EU Cyber Resilience Act, CMMC. All converging on the same requirement. Prove what was in your software. NextGenRails built that infrastructure. Not to stop the breach. To prove what you had before it.

English

95

GitHub@github·19h

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

English

504

3.2K

10.1K

5.2M

NextGenRails™@NextGenRails·4h

Cbomcompliance.com solves this.

English

20

NextGenRails™@NextGenRails·4h

When attackers steal your code, they have it. That's done. You can't undo it. But here's what most organizations can't answer after a breach. What exactly was in those repositories before the attack? Was the stolen code already vulnerable, or did the attacker introduce something? Were you compliant before this happened? Can you prove any of it? To regulators, to insurers, to customers, to a federal court. You can't prove it with logs. Logs can be tampered. You can't prove it with memory. Memory is not evidence. You can't prove it with a claim. A claim is not proof. The only thing that holds up is a cryptographic receipt. A mathematically signed, timestamped, independently verifiable record of exactly what existed before the access window opened. That's your safe harbor. That's your litigation defense. That's the difference between an organization that can demonstrate pre-incident compliance and one that is guessing in front of a regulator. EO 14028, the EU Cyber Resilience Act, CMMC. All converging on the same requirement. Prove what was in your software. NextGenRails built that infrastructure. Not to stop the breach. To prove what you had before it.

English

0

34

NextGenRails™@NextGenRails·7h

@blade_nd The attack surface keeps expanding. VS Code extensions yesterday. AI context windows today. the answer is always the same, cryptographic proof of what existed before the trust was broken.

English

32

Erick@blade_nd·22h

The next attack window will be Claude and Codex context window and historical chats. And yes they do store it according to their TOS. If you feel like you ever leaked a secret via AI, rotate them ASAP!

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

English

8

9

188

28.3K

NextGenRails™@NextGenRails·7h

@billyxbonka @github GitHub's own words: "detected and contained." that's catching it. the data was already gone before they knew, which is exactly the point.

English

41

billy@billyxbonka·7h

@NextGenRails @github Although Github is not transparent enough my understanding so far is that they didnt detect the malicious extension, they detected they they were breached and lost bunch of sensitive stuff. Thus it is an investigation not a detection

English

0

1

68

NextGenRails™@NextGenRails·7h

Microsoft told their own developers to avoid this exact behavior. their own marketplace. their own guidance. their own employee. the attack vector was always trust — not technology. the only answer is cryptographic proof of what was in your stack before the trust was broken. cbomcompliance.com

English

355

vx-underground@vxunderground·17h

GitHub, a company owned by Microsoft, was compromised. A GitHub employee browsing the VS Code marketplace, an asset owned and operated by Microsoft, inadvertently donated a malicious VS Code extension, which Microsoft offers guidance and best practices on to avoid

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

English

58

422

4.5K

335.5K

NextGenRails™@NextGenRails·7h

BTC block 950251 confirms. the Rev-2 upgrade is permanently anchored to the Bitcoin blockchain as of 2026-05-20 PST. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 mathematically proven. immutable. forever.

English

31

NextGenRails™@NextGenRails·8h

last night GitHub got breached via a poisoned VS Code extension. a supply chain attack. through a developer tool. NextGenRails shipped the answer tonight. upload your .vscode/extensions.json and get a cryptographic receipt of your entire extension stack. signed. Merkle-rooted. Bitcoin-anchored. timestamped to the minute. if a malicious extension hits your team tomorrow — you can prove what was installed before it. Rev-2 now runs 4 vulnerability intelligence sources simultaneously: — Internal rule engine — OSV (Open Source Vulnerabilities) — NVD (National Vulnerability Database) — GHSA (GitHub Advisory Database) every CVE is scored with EPSS — the probability it gets exploited in the wild within 30 days. AGPL. GPL. SSPL. license risk flagged automatically. AI model cards. receipted. base model, datasets, and lineage — cryptographically proven. compare any two signed receipts. see exactly what changed. added dependencies. removed packages. version upgrades. risk delta. one RS256-signed JWS receipt. SHA-384 Merkle root. Bitcoin-anchored provenance. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 BTC block: [pending] this is what software provenance looks like in 2026.

English

2

0

1

52

NextGenRails™@NextGenRails·7h

@billyxbonka @github You're right. they detected it. that's actually the point. Most organizations don't have GitHub's resources to catch it. They find out when it's too late to prove what their stack looked like before. That's the problem we solve.

English

0

120

billy@billyxbonka·9h

@NextGenRails @github They didnt catch it? They were affected and now remediating

English

0

165

NextGenRails™@NextGenRails·8h

last night GitHub got breached via a poisoned VS Code extension. a supply chain attack. through a developer tool. NextGenRails shipped the answer tonight. upload your .vscode/extensions.json and get a cryptographic receipt of your entire extension stack. signed. Merkle-rooted. Bitcoin-anchored. timestamped to the minute. if a malicious extension hits your team tomorrow — you can prove what was installed before it. Rev-2 now runs 4 vulnerability intelligence sources simultaneously: — Internal rule engine — OSV (Open Source Vulnerabilities) — NVD (National Vulnerability Database) — GHSA (GitHub Advisory Database) every CVE is scored with EPSS — the probability it gets exploited in the wild within 30 days. AGPL. GPL. SSPL. license risk flagged automatically. AI model cards. receipted. base model, datasets, and lineage — cryptographically proven. compare any two signed receipts. see exactly what changed. added dependencies. removed packages. version upgrades. risk delta. one RS256-signed JWS receipt. SHA-384 Merkle root. Bitcoin-anchored provenance. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 BTC block: [pending] this is what software provenance looks like in 2026.

English

33

Wes Bos@wesbos·22h

im tried dog

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

English

29

9

418

40.1K

NextGenRails™@NextGenRails·8h

last night GitHub got breached via a poisoned VS Code extension. a supply chain attack. through a developer tool. NextGenRails shipped the answer tonight. upload your .vscode/extensions.json and get a cryptographic receipt of your entire extension stack. signed. Merkle-rooted. Bitcoin-anchored. timestamped to the minute. if a malicious extension hits your team tomorrow — you can prove what was installed before it. Rev-2 now runs 4 vulnerability intelligence sources simultaneously: — Internal rule engine — OSV (Open Source Vulnerabilities) — NVD (National Vulnerability Database) — GHSA (GitHub Advisory Database) every CVE is scored with EPSS — the probability it gets exploited in the wild within 30 days. AGPL. GPL. SSPL. license risk flagged automatically. AI model cards. receipted. base model, datasets, and lineage — cryptographically proven. compare any two signed receipts. see exactly what changed. added dependencies. removed packages. version upgrades. risk delta. one RS256-signed JWS receipt. SHA-384 Merkle root. Bitcoin-anchored provenance. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 BTC block: [pending] this is what software provenance looks like in 2026.

English

International Cyber Digest@IntCyberDigest

25

@[email protected]@sitnikcode·15h

Move to Dev Container to run all your dependencies and text editor extensions (which was used in this attack) in container

‼️🚨 BREAKING: GitHub has been compromised by TeamPCP. GitHub has confirmed the internal breach. A poisoned VS Code extension on an employee device exfiltrated ~3,800 internal repositories. TeamPCP is already selling the data on a cybercrime forum.

English

5

3

14

4.4K

NextGenRails™@NextGenRails·8h

last night GitHub got breached via a poisoned VS Code extension. a supply chain attack. through a developer tool. NextGenRails shipped the answer tonight. upload your .vscode/extensions.json and get a cryptographic receipt of your entire extension stack. signed. Merkle-rooted. Bitcoin-anchored. timestamped to the minute. if a malicious extension hits your team tomorrow — you can prove what was installed before it. Rev-2 now runs 4 vulnerability intelligence sources simultaneously: — Internal rule engine — OSV (Open Source Vulnerabilities) — NVD (National Vulnerability Database) — GHSA (GitHub Advisory Database) every CVE is scored with EPSS — the probability it gets exploited in the wild within 30 days. AGPL. GPL. SSPL. license risk flagged automatically. AI model cards. receipted. base model, datasets, and lineage — cryptographically proven. compare any two signed receipts. see exactly what changed. added dependencies. removed packages. version upgrades. risk delta. one RS256-signed JWS receipt. SHA-384 Merkle root. Bitcoin-anchored provenance. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 BTC block: [pending] this is what software provenance looks like in 2026.

English

13

Pato Molina@patomolina·11h

Hackean GitHub (de Microsoft) porque un empleado (de Microsoft) instaló una extensión con malware en VS Code (de Microsoft), cuyo marketplace de extensiones está "moderado" por Microsoft. Hace años que es un peligro instalar extensiones de VS Code porque el control es casi nulo.

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Español

9

134

1.2K

106.9K

NextGenRails™@NextGenRails·8h

Cbomcompliance.com

ZXX

1

30

NextGenRails™@NextGenRails·8h

last night GitHub got breached via a poisoned VS Code extension. a supply chain attack. through a developer tool. tonight cbomcompliance.com ships the answer. you can now upload your .vscode/extensions.json and get a cryptographic receipt of your entire extension stack. signed. Merkle-rooted. Bitcoin-anchored. timestamped to the minute. if a malicious extension hits your team tomorrow — you can prove what was installed before it. that's not all. Rev-2 now runs 4 vulnerability intelligence sources simultaneously: — Internal rule engine — OSV (Open Source Vulnerabilities) — NVD (National Vulnerability Database) — GHSA (GitHub Advisory Database) every CVE is scored with EPSS — the probability it gets exploited in the wild within 30 days. AGPL. GPL. SSPL. license risk flagged automatically. AI model cards. receipted. your base model, datasets, and lineage — cryptographically proven. compare any two signed receipts. see exactly what changed. added dependencies. removed packages. version upgrades. risk delta. one RS256-signed JWS receipt. SHA-384 Merkle root. Bitcoin-anchored provenance. SHA256: 2ccfc63895954068f06677381909855fefbbcc9a0b6b6c49c90 BTC block: [pending] this is what software provenance looks like in 2026. cbomcompliance.com

English

11

GitHub@github·23h

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

English

1.6K

5.2K

24.3K

12.3M

NextGenRails™@NextGenRails·18h

tonight's breach made us think about our own infrastructure. so NextGenRails ran all 11 repos through cbomcompliance.com. 118 components. one master SBOM. one cryptographic receipt. timestamped to the minute. if anything happens to our codebase tomorrow — we can prove what it looked like tonight. that's the point.

English

603

NextGenRails™@NextGenRails·18h

tonight's breach made us think about our own infrastructure. so NextGenRails ran all 11 repos through cbomcompliance.com. 118 components. one master SBOM. one cryptographic receipt. timestamped to the minute. if anything happens to our codebase tomorrow — we can prove what it looked like tonight. that's the point.

English