Morning Review in IT Security — July 8, 2026
The threat landscape continues to intensify as attackers target critical infrastructure across multiple platforms. Today's review covers a sophisticated supply-chain campaign spanning two major package repositories, critical authentication bypass vulnerabilities in widely-used development tools, and emerging attack patterns that evade traditional security controls.
Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
Socket's AI scanner detected a coordinated malware campaign on July 7, 2026, consisting of 17 malicious packages published nearly simultaneously across npm and PyPI repositories. The attack targets developers and users of popular payment processing platforms including PaySafe, Skrill, and Neteller. Source: Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
The npm packages each published four malicious versions (1.0.0 through 1.0.3), with detection occurring within six minutes of publication. The affected npm packages include paysafe-checkout, paysafe-vault, neteller, skrill-payments, paysafe-js, paysafe-api, paysafe-node, paysafe-cards, paysafe-fraud, paysafe-kyc, skrill, skrill-sdk, and paysafe-payments. The PyPI ecosystem was targeted with four malicious packages: paysafe-kyc, paysafe-payments, paysafe-sdk, and paysafe-api, each publishing a single malicious version 1.0.0.
The malware employs sophisticated techniques to steal credentials and tokens from victim systems. The packages mimic legitimate Paysafe REST client implementations while exfiltrating environment variables matching patterns including KEY, SECRET, TOKEN, PASS, AUTH, and API. The stolen data is sent to command-and-control infrastructure at caliber-spinner-finishing.ngrok-free.dev. The npm variant includes sandbox evasion checks and delays exfiltration by approximately 11.7 seconds, while the PyPI variant activates universally without API key gating. The threat actor demonstrates operational maturity through use of unique obfuscation keys across versions to prevent signature-based tracking and infrastructure overlap with established cybercrime groups.
Critical Gitea Flaw Under Active Exploitation, Researchers Warn
A critical authentication bypass vulnerability in Gitea is being actively exploited in the wild, allowing attackers to bypass authentication mechanisms using a single HTTP header to access vulnerable repositories and sensitive secrets. Source: Critical Gitea Flaw Under Active Exploitation, Researchers Warn
The vulnerability, identified as CVE-2026-20896, poses significant risk to organizations relying on Gitea for source code management and repository hosting. The active exploitation indicates that threat actors have weaponized this flaw and are actively targeting Gitea instances.
'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows
A vulnerability dubbed GitLost has been discovered in GitHub's agentic workflows that enables unauthenticated attackers to extract private repository data through a novel attack vector. Source: 'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows
The attack exploits GitHub's workflow automation capabilities by allowing an attacker to craft a malicious GitHub Issue in an organization's public repository and then silently access data from the organization's private repositories. This vulnerability, tracked as CVE-2024-4122, demonstrates how automation features designed to improve developer productivity can be weaponized to bypass access controls and exfiltrate sensitive information.
The GitHub Actions Attack Pattern Your CI Security Scanners Miss
Research from ActiveState reveals a critical gap in CI/CD security tooling: traditional CI security scanners fail to detect sophisticated GitHub Actions attack chains that exploit workflow composition techniques. Source: The GitHub Actions Attack Pattern Your CI Security Scanners Miss
The attack pattern, associated with the Cordyceps malware, has been identified across more than 300 open-source repositories. The research demonstrates that passing a security scan does not guarantee pipeline security, as attackers can chain together seemingly benign Actions to achieve malicious objectives while evading detection. This finding underscores the need for organizations to implement more sophisticated governance controls over their CI/CD workflows beyond traditional scanning approaches.
Organizations should prioritize immediate patching of Gitea instances, audit their GitHub repositories and Actions workflows for signs of compromise, and implement comprehensive secrets rotation protocols across all development infrastructure. The convergence of these vulnerabilities highlights the critical importance of supply-chain security as a foundational element of enterprise security strategy.