Yeeth Security

🚀 300M monthly downloads and growing! We’re proud to have developed a pipeline for the @EclipseFdn to harden the security infrastructure of the Open VSX Registry. Great to see this milestone and the new AWS investment featured in @TheNewStack! Check out the full story: thenewstack.io/open-vsx-aws-i…

The absolute weaponized brainrot in the beg bounty scene right now. Some genius uploaded an Antigravity IDE "0day sandbox escape" to Open VSX...that bypasses a sandbox to grant you the exact local privileges the extension already had. Brilliant execution, you broke into a house you were already sitting inside 💀

@shfx @jonahseguin We've seen discussion around safe-npm, pnpm, and yarn

@YeethSecurity @jonahseguin What alternatives?

Can someone please explain to me why we are still waiting until AFTER a package is published and distributed to take action? Why doesn’t npm scan packages with Socket or similar before allowing them to be distributed?

New GitHub account: dfghjhjke

Solana address: 6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz GitHub accounts: - JohnMillDoe - Aljsnedfjn - Kbaefkjbd - kdjrgndjsdf HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\DefenderBackup

Yeeth Security is tracking another campaign of GLASSWORM adjacent extensions targeting Open VSX 👇 The campaign polls Solana mainnet for a memo transaction on the threat actors wallet and decrypts the memo for the next-stage C2 domain to fetch and execute a binary Windows and Linux machines are targeted, but notably the Linux payload is missing The Windows payload sets a registry run key masquerading as a windows defender backup artifact that installs a self updating RAT

I've updated the meme

@gl0omsec This idea is ahead of its time

why dont we simply just scan every package everywhere every 10 minutes. easy. problem solved

cc: @vxunderground @campuscodi @tayvano_ @IntCyberDigest @TheHackersNews @BleepinComputer @DarkReading

@_JohnHammond Lots of snake oil is on the case!!

ok ya i sorta feel like the software supply chain is kinda in shambles rn yknow??

@kpolley Always good seeing more projects hitting the ecosystem that genuinely secure it and protects its users! We have a FOSS extension that uses our publicly available threat intel to protect IDEs (open-vsx.org/extension/yeet…) we should collaborate 👀

The industry has seen an unprecedented wave of supply chain attacks over the past few months. That's why we built Bumblebee, a lightweight security scanner that continuously monitors endpoints and hunts for malicious packages. Bumblebee has been a critical asset in keeping @perplexity_ai secure, and we're thrilled to open source it for everyone. We're also using Perplexity Computer to monitor public threat intelligence feeds in real time and update the Bumblebee repo as new threats emerge. Excited to share this with the community!

Reminder that we have a fully free and open source extension that helps developers secure their VS Code, Cursor, etc. in one click - open-vsx.org/extension/yeet…

@inf0stache We identified the same behavior in some Open VSX extensions, likely profiling name squat targets for potential malware

This person has published two more packages now. They added an explicit phone home to the preinstall script that sends hostname and whoami to an external OAST endpoint

Want to get an idea of what YOU can do regarding all the supply chain infections recently? We wrote a guide to help you do just that! yeethsecurity.com/blog/2026-05-2…

@MosheTov Well said

Last week npm decided to shift trust instead of embedding malware analysis in their ecosystem. This should raise a red flag for anyone who's following the latest supply chain attack news. Developer accounts are being broken into, either phished, compromised by malware or via data leaks, then the threat actors use these accounts to deliver malware to anyone who's using the victim's code packages. If we're going to treat every account hijacking technique separately and try to add more authentication factors, more key rotations, we're not protecting developers, we're just making their process slower, and - we're not solving the actual problem. Malicious code. If a threat actor is able to uploaded malicious code to npm, PyPi, GitHub, GitLab, Maven, (and the list goes on) without being blocked *before* the code could infect others - the malware problem is not solved, just shifts responsibility. Scanning malicious code, analyzing code behaviour and intent is key for protecting users. When npm says that they revoke one type of authentication, they just open the door to threat actors to use other methods to continue upload malicious code. What if someone is just giving a threat actor full access to his account willingly? or selling access to the highest bidder? Threat Actors could just pretend to be regular developers, gaining downloads and trust before turning their code into an info stealing malware. Malicious code should be treated like harmful content - it should be detected and blocked before anyone is exposed to it. Social media and content platforms are doing this for years, scanning, detecting and removing bad content before we even see it. If code was treated the way, threat actors would have a much harder time pulling off successful supply chain attacks endangering millions of users around the world.

@jamieantisocial Can’t wait for the next one tomorrow!!

the history of malware suggests that there is a non-zero chance that supply chain campaigns 𝕖𝕧𝕖𝕟𝕥𝕦𝕒𝕝𝕝𝕪 just serve adware$.

@anshuc @github

@github holy shit, how did the attackers find a large enough uptime window to get in?

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.