Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

DevSecOps Weekly — June 21, 2026

Posted on June 21, 2026 by admini

Security Radar · Issue 4

DevSecOps Weekly

June 21, 2026 · Weekly Edition

Pipeline, registry, and platform security — what shipped, what broke, what to do about it.

At a glance

North Korea owned the supply-chain headlines this week, and the vector was npm. JFrog's threat-research team caught “easy-day-js” — a malicious package that piggybacked on a legitimate dependency update to compromise 144 Mastra AI framework packages, dropping a credential stealer that harvested cloud tokens, SSH keys, and .env secrets from any developer who ran npm install. Microsoft's subsequent attribution confirmed the campaign connects to Jade Sleet, the same North Korean cluster behind the 2023 npm supply-chain wave. Back-to-back in a single week: an attacker slipping a single package into a widely-used framework's dependency tree as a living-off-the-land technique rather than building and promoting fake packages from scratch.

The week's second thread is CI/CD pipeline exposure at the secrets and credentials layer. GitHub shipped AntiSSRF, an open-source library that blocks server-side request forgery from inside pipeline code — a concrete control for a class of abuse that quietly leaks cloud metadata and internal endpoints from build runners. Alongside it, a new open-source CI/CD abuse detector landed on Help Net Security, designed specifically to catch stolen-credential attacks against pipeline workflows. And a Dark Reading analysis of developer machine risk makes explicit what the Mastra campaign demonstrated: the developer workstation is now routinely the weakest link in an otherwise hardened pipeline, because it holds live registry credentials and sits outside most enterprise perimeter controls.

The foundational reading this week anchors the weekly incidents in structural context. The Agentjacking research from the Cloud Security Alliance is the canonical technical account of how MCP-based AI coding agents can be hijacked via crafted Sentry error events — a 2026-06-12 publication that now reads as a direct precursor to the Mastra attack's targeting of developer machines running agentic tooling. GitHub's 2026 Actions security roadmap — SHA pinning, scoped secrets, native egress filtering — maps directly to the credential-exfiltration patterns showing up in the weekly attacks. And the O'Reilly analysis of Kubernetes in the AI era connects the platform-hardening thread to the agentic workloads that are landing in clusters faster than most security policies can track them.

Topic map of DevSecOps Weekly stories for June 21, 2026

Topic map — North Korean npm supply-chain attack on Mastra AI packages, CI/CD pipeline credential exposure, agentjacking of AI coding agents, and the platform & policy controls that blunt them.

Article index

npm & registry supply-chain attacks

The Mastra/easy-day-js campaign as discovery, attribution, and structural context — plus the PyPI Hades campaign and the Codex credential-theft playbook that preceded it, showing how attackers are systematically targeting AI-framework developer ecosystems across registries.

  1. 144 Mastra npm packages compromised via easy-day-js (The Hacker News, Jun 17)
  2. Microsoft links Mastra attack to North Korean hackers (BleepingComputer, Jun 20)
  3. ‘Hades’ attacks on PyPI — a new spin on Shai-Hulud (Dark Reading, Jun 8) — foundational
  4. OpenAI Codex authentication tokens stolen via codexui-android npm (The Hacker News, Jun 1) — foundational

CI/CD & agentic-workflow hardening

Fresh tooling for securing pipeline credentials and flagging stolen-token abuse, alongside GitHub's roadmap for making Actions secure by default — directly responsive to the week's credential-exfiltration patterns.

  1. GitHub removes PAT requirement for agentic workflows (DevOps.com, Jun 15)
  2. Microsoft AntiSSRF open-source library (Help Net Security, Jun 17)
  3. Open-source CI/CD abuse detector guards against stolen-credential attacks (Help Net Security, Jun 15)
  4. GitHub to disable npm install scripts by default in npm v12 (The Hacker News, Jun 11) — foundational
  5. What’s coming to our GitHub Actions 2026 security roadmap (GitHub Blog, Mar 26) — foundational

Dev-tooling & AI coding agent threats

Agentjacking turns MCP-connected coding agents into code-execution vectors; malicious JetBrains plugins and the AUR campaign go directly after the AI API keys and cloud tokens that live on developer machines running those agents.

  1. Agentjacking: MCP/Sentry injection hijacks AI coding agents (Cloud Security Alliance, Jun 12) — foundational
  2. Malicious JetBrains plugins steal AI API keys from developers (BleepingComputer, Jun 10) — foundational
  3. Developer machines and the supply-chain security risk (Dark Reading, Jun 17)
  4. 400+ AUR packages hijacked: what “Atomic Arch” means for supply-chain security (StepSecurity, Jun 12) — foundational

Foundational: open source, compliance & platform

Two-thirds of the open-source community still unaware of the EU Cyber Resilience Act; Kubernetes security posture under AI-era pressure; and a structural gap in how organizations detect and respond to CI/CD compromise.

  1. Two-thirds of open-source community unaware of the Cyber Resilience Act (Infosecurity, Jun 8) — foundational
  2. Kubernetes in the Age of AI (O’Reilly Radar, Jun 18) — foundational

Detailed write-ups

01

144 Mastra npm packages compromised via easy-day-js dependency

The Hacker News · June 17, 2026

JFrog's security research team discovered that a malicious update to the “easy-day-js” npm package compromised 144 packages in the Mastra AI framework ecosystem. The attacker inserted a credential-harvesting payload that executed at install time, scooping cloud tokens, SSH keys, and .env secrets from any developer workstation that ran npm install against an affected Mastra package. The technique — hijacking a shared transitive dependency rather than publishing a fake look-alike — is a notable evolution: it allows a single tampered package to propagate through a large, trusted dependency graph without triggering name-similarity detectors. Mastra is widely used in AI agent development, making the developer and build-machine population an attractive target. JFrog notified npm; the packages were pulled within hours of discovery.

Read the article

02

Microsoft links Mastra AI supply-chain attack to North Korean hackers

BleepingComputer · June 20, 2026

Microsoft's threat intelligence team attributed the Mastra/easy-day-js npm campaign to Jade Sleet (also tracked as TEMP.Hermit), a North Korean cluster with a documented history of developer-targeted supply-chain operations including the 2023 npm wave. The attribution is operationally significant for DevSecOps teams: Jade Sleet is not an opportunist but a persistent actor that studies open-source developer tooling ecosystems before inserting payloads, meaning campaigns like this one reflect reconnaissance-then-insertion tradecraft rather than spray-and-pray. Microsoft's write-up details indicators of compromise and recommends auditing developer workstations, rotating any registry credentials that could have been present during the affected install window, and reviewing which Mastra package versions are pinned in internal pipelines.

Read the article

03

‘Hades’ attacks on PyPI — a new spin on Shai-Hulud

Dark Reading · June 8, 2026 · Foundational reading

Dark Reading covers the “Hades” campaign targeting PyPI with a fresh variation on the self-replicating Shai-Hulud worm technique: malicious packages that, when installed, scan the victim environment for developer credentials and use any registry tokens found to publish additional poisoned packages under the same or related namespaces. The self-amplifying model means an initial foothold in a single developer environment can propagate into a broader registry presence without additional attacker infrastructure. This is the PyPI-side complement to the npm story in articles 1 and 2, and a reminder that supply-chain actors are cross-registry in their targeting — the same playbook landing on both npm and PyPI within the same news cycle.

Read the article

04

OpenAI Codex authentication tokens stolen via codexui-android npm package

The Hacker News · June 1, 2026 · Foundational reading

Researchers found “codexui-android” on npm, a malicious package impersonating OpenAI's Codex tooling that exfiltrated authentication tokens from developer environments at import time. The targeting of Codex users is deliberate: developers building on AI coding APIs are a high-value target because their environments hold not just registry credentials but active API keys with billing scope and, in some cases, access to sensitive code repositories and build outputs. This case is an early-window example of the AI-framework credential-targeting pattern that the Mastra campaign escalated two weeks later. A reminder that any new AI-tooling namespace on npm is a typosquatting surface worth monitoring before your teams pull it.

Read the article

05

GitHub removes PAT requirement for agentic workflows

DevOps.com · June 15, 2026

GitHub announced that agentic workflows using GitHub Apps and fine-grained permissions can now operate without requiring a Personal Access Token, reducing the need for long-lived secrets in developer and CI environments. The change directly addresses one of the most persistent credential-hygiene problems in GitHub-based pipelines: PATs that accumulate broad repository scope, rarely rotate, and are the first thing a credential-harvesting npm payload looks for in a developer's environment. For teams already running agentic CI workflows or planning to adopt AI coding agents with GitHub integration, this is a meaningful hardening opportunity that removes a class of long-lived secret with minimal workflow disruption if migration is planned carefully.

Read the article

06

Microsoft AntiSSRF open-source library

Help Net Security · June 17, 2026

Microsoft open-sourced AntiSSRF, a library designed to prevent server-side request forgery from within application and pipeline code. SSRF from inside CI/CD runners is a lower-profile but persistent risk: a build that fetches external resources can be redirected to cloud metadata endpoints or internal services, leaking IAM credentials or internal network topology. AntiSSRF provides a defense-in-depth layer that can be dropped into build and application code without requiring infrastructure changes. The timing is notable — Microsoft has been publishing security tooling at a steady pace alongside its threat intelligence on the same attack surfaces, and AntiSSRF fits the pattern of tooling that addresses the specific runner-side vectors documented in the Mastra and Actions-exploitation research.

Read the article

07

Open-source CI/CD abuse detector guards against stolen-credential attacks

Help Net Security · June 15, 2026

A new open-source tool published this week is designed to detect abuse of CI/CD pipelines via stolen credentials — specifically the pattern where an attacker who has harvested a runner token or repository secret attempts to use it to trigger unauthorized workflow runs, push to protected branches, or exfiltrate artifacts. The detector monitors for anomalous usage patterns against a baseline of normal pipeline behavior, flagging activity that matches known stolen-credential playbooks. Given that the Mastra, Atomic Arch, and Codex campaigns all end with live credentials being harvested and reused, adding a detection layer at the pipeline-usage tier rather than only at the ingest tier is a meaningful defense-in-depth step for teams running GitHub Actions or similar platforms.

Read the article

08

GitHub to disable npm install scripts by default in npm v12

The Hacker News · June 11, 2026 · Foundational reading

GitHub announced that npm v12, expected in July, will no longer execute preinstall, install, and postinstall lifecycle scripts from dependencies by default — a change that requires projects to explicitly opt in to install-time script execution per package. This is the most consequential structural fix to the npm threat model in the current attack cycle: the Mastra, Shai-Hulud, and TeamPCP campaigns all exploit default automatic script execution to drop payloads at install time. The timing advice is practical: inventory which of your own builds currently depend on lifecycle scripts before the npm v12 default flips, so the change lands as a pipeline-hardening win rather than a broken build. Opting out of the new default to preserve convenience is the wrong call in 2026.

Read the article

09

What’s coming to our GitHub Actions 2026 security roadmap

GitHub Blog · March 26, 2026 · Foundational reading

GitHub's roadmap for making Actions secure by default maps directly to the credential-exfiltration patterns appearing in the week's attacks: workflow-level dependency locking via SHA pinning, policy-driven execution through rulesets, scoped secrets, an Actions Data Stream for pipeline observability, and a native egress firewall for hosted runners. Egress filtering and scoped secrets in particular are the controls that would have blunted the payload delivery in the Mastra and AUR campaigns — both attackers needed network egress from build or developer hosts to exfiltrate harvested credentials. For any team building its CI/CD hardening baseline on GitHub Actions, this roadmap is the planning document to track and implement ahead of the default changes arriving later this year.

Read the article

10

Agentjacking: MCP/Sentry injection hijacks AI coding agents (CSA primary research)

Cloud Security Alliance · June 12, 2026 · Foundational reading

The Cloud Security Alliance's primary research note on “agentjacking” is the authoritative technical account of how crafted Sentry error events, submitted via a project's public DSN, can trick an AI coding agent reading them over MCP into treating attacker-controlled content as trusted resolution steps — achieving code execution on the developer's machine with an 85% success rate in testing. The significance for DevSecOps teams wiring agents into error-monitoring, issue-tracking, and log feeds: those data sources are now injection surfaces. External data flowing into an agent's context must be treated as untrusted input regardless of the source system's reputation. The MCP trust boundary problem the CSA documents here is unresolved in tooling; defensive posture today requires explicit review of what data sources each agent can read and what actions it can take in response.

Read the article

11

Malicious JetBrains Marketplace plugins steal AI API keys from developers

BleepingComputer · June 10, 2026 · Foundational reading

BleepingComputer reports a cluster of malicious plugins published to the JetBrains Marketplace that harvested AI API keys — Anthropic, OpenAI, and Cohere credentials — from developer environments. The plugins passed basic review, were installed by developers seeking AI-assisted coding features, and exfiltrated stored API keys to attacker infrastructure in the background. The IDE extension supply chain is the newer and less-scrutinized relative of the npm/PyPI attack surface: developers install plugins with the same trust they extend to packages, and plugin marketplaces lack the same automated malware-scanning maturity the major language registries have built up over the past two years. Worth reviewing which JetBrains plugins are deployed in your developer fleet and whether any recently-added AI-tooling plugins match the IOCs in BleepingComputer's writeup.

Read the article

12

Developer machines and the supply-chain security risk

Dark Reading · June 17, 2026

This GitGuardian-sponsored analysis makes explicit the architecture problem underlying the week's attacks: developer workstations routinely hold live registry credentials, cloud API keys, SSH keys, and .env files that are outside the enterprise security perimeter, rarely covered by the same endpoint detection tooling applied to production servers, and directly in the blast radius of any malicious install-time or IDE-level payload. The piece walks through how the gap between enterprise security investment in CI/CD infrastructure and the actual security posture of developer endpoints creates a structural attack surface that supply-chain actors now deliberately target. Practical recommendations center on short-lived credential issuance, endpoint detection coverage parity with production, and limiting what secrets live on developer machines at rest.

Read the article

13

400+ AUR packages hijacked: what the “Atomic Arch” campaign means for supply-chain security

StepSecurity · June 12, 2026 · Foundational reading

StepSecurity's analysis of the Atomic Arch campaign — in which more than 400 orphaned Arch User Repository packages were silently adopted and weaponized to drop a Rust credential stealer on build and developer hosts — draws the lesson that matters most for platform teams: ownership-hijacking of abandoned packages is harder to detect than typosquatting because no new names are registered and no alerting triggers. The payload targets SSH keys, GitHub and npm tokens, Vault credentials, and Docker creds — exactly the secrets that live on developer machines running builds. StepSecurity frames the countermeasures around CI-runner hardening and network-level egress control on build hosts, rather than scanning the package name. If your developers build AUR packages on machines that also hold cloud tokens, this campaign is a direct threat to your supply chain trust model.

Read the article

14

Two-thirds of open-source community unaware of the Cyber Resilience Act

Infosecurity Magazine · June 8, 2026 · Foundational reading

An OpenSSF survey found that two-thirds of open-source maintainers and contributors are unaware of the EU Cyber Resilience Act, which will impose security and vulnerability-disclosure requirements on products with a digital element — including commercial software that ships with open-source components. The finding is operationally significant for DevSecOps teams in organizations selling into Europe: the CRA's SBOM, vulnerability reporting, and security-update obligations flow upstream to the open-source components in your stack, including maintainers who may not know requirements exist. The compliance gap is not just a legal risk but a supply-chain risk — a component whose maintainer is unaware of CRA obligations is unlikely to have the vulnerability disclosure and patching discipline the regulation expects.

Read the article

15

Kubernetes in the Age of AI

O’Reilly Radar · June 18, 2026 · Foundational reading

O'Reilly's analysis of how AI workloads are reshaping Kubernetes security and operations is a timely read for DevSecOps teams watching agentic CI/CD tooling arrive in clusters that were designed around stateless web services. The piece covers the security posture implications of running persistent AI inference workloads, the model-serving attack surface that differs from traditional web-application threats, the resource and network policy challenges of GPU node pools, and the governance gap that emerges when AI agent frameworks land in Kubernetes before platform teams have defined the trust boundaries for what those agents can reach and execute. Foundational context for teams planning cluster security policy for AI-era workloads rather than retrofitting it after the first incident.

Read the article

On our watch list

  • Transitive-dependency hijacking as a stealthy supply-chain vector. The Mastra/easy-day-js campaign demonstrates that compromising a single transitive dependency propagates malicious payloads to hundreds of downstream packages without triggering name-similarity or typosquatting detection. Watching whether npm, PyPI, and other registries build ownership-change monitoring and transitive-dependency integrity verification into their automated scanning pipelines.
  • AI coding agents as injection sinks inside the SDLC. Agentjacking, the Mastra targeting of developer machines running AI tooling, and the AI-tool-triggered worm variants all point the same direction: external data flowing into an agent's MCP context is now an injection surface. Watching for emerging tooling and standards that treat agent data-source feeds as untrusted input requiring sandboxing, prompt-injection mitigations, and action-confirmation guardrails.
  • IDE extension supply chains as the next registry-grade attack surface. The JetBrains AI-key-stealing plugins signal that attackers are treating plugin marketplaces with the same seriousness they apply to npm and PyPI. Watching whether JetBrains, VS Code, and other IDE marketplaces accelerate their automated malware-scanning maturity to match what the language registries have built since 2023.
  • CRA compliance gap in the open-source component supply chain. With two-thirds of open-source maintainers unaware of EU Cyber Resilience Act obligations, organizations selling into Europe face an upstream compliance risk embedded in components they ship. Watching for tooling that helps map CRA exposure across SBOM-declared dependencies and surfaces maintainer compliance posture alongside vulnerability data.

Security Radar · DevSecOps Weekly

Curated by Paul Davis · paul.davis@security-radar.com

You received this email because you subscribed to Security Radar bulletins.

*|LIST:ADDRESS|*

Unsubscribe · View in archive

© 2026 Security Radar LLC. All rights reserved.

Article titles and summaries are excerpted for review and commentary under fair use; all linked articles remain the copyright of their respective publishers and authors.

Recent Posts

  • DevSecOps Weekly — July 12, 2026
  • DevSecOps Weekly — July 12, 2026 — Interactive Topic Map
  • Malware Analysis Weekly — July 12, 2026
  • Malware Analysis Weekly — July 12, 2026 — Interactive Topic Map
  • AI & ML in Security — July 12, 2026

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • November 2025
  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2026 CyberSecurity Institute | Powered by Superbs Personal Blog theme