GitHub news and developer summaries

A recent VS Code Git extension update enabled 'git.addAICoAuthor' by default, automatically adding 'Co-authored-by: Copilot' trailers to commits. This change faced severe community backlash due to privacy concerns, lack of transparency, and reports of the trailer being injected even when Copilot features were disabled or not used, leading to widespread dissatisfaction among developers.

On May 11, 2026, TanStack suffered a supply chain attack where 84 malicious package versions were published. Attackers chained GitHub Actions cache poisoning, pull_request_target misuse, and OIDC token theft to bypass CI/CD security. No npm credentials were stolen, but local installations may be compromised. All affected versions were deprecated, and security hardening is underway.

A CISA contractor accidentally exposed highly privileged AWS GovCloud credentials and internal system passwords on a public GitHub repository. The leak included plaintext credentials and software deployment configurations, described as a severe security failure. While the repository was removed, experts warn that the exposure of such internal assets poses significant risks for potential lateral movement and long-term compromise.

On May 19, 2026, the 'atool' npm account was compromised, leading to 637 malicious versions across 317 packages. The attack used the 'Mini Shai-Hulud' toolkit to harvest credentials, hijack AI coding agents, and establish persistent backdoors via GitHub API dead-drops. The payload targeted cloud environments, CI/CD pipelines, and local developer machines through automated, obfuscated Bun scripts.

The development team actively reviews all user feedback to improve their documentation and software quality. Recent repository activity shows two files changed in a commit, signaling ongoing updates and maintenance within the project.

GitHub updated the git.addAICoAuthor setting for Copilot commit attribution after a bug incorrectly labeled non-AI code. The default is now switched back to off, and future updates will require user consent before adding AI trailers to commits, while exploring 'Assisted-by' attribution to improve transparency regarding AI-generated code and model usage.

Meshtastic is a community-driven, open-source project using LoRa radios to create long-range, decentralized,, and encrypted off-grid communication networks. It functions without reliable infrastructure, enabling text messaging and GPS location sharing while offering excellent battery life. The project relies on volunteers for ongoing development and support via GitHub and Discord.

Archestra CTO Ildar Iskhakov describes the struggle with 'AI slop'—low-quality automated contributions flooding GitHub repositories. This noise buries legitimate work, forcing maintainers to implement strict, gated onboarding processes to preserve repo quality and community safety. He argues that current GitHub metrics hide the negative impact of AI bots on genuine open source collaboration.

The NetHack DevTeam has released NetHack 5.0.0, introducing major architectural updates including C99 standard compliance, improved cross-compiling support, and a transition to Lua-based processing for compilers. This release is incompatible with previous save files. Developers welcome bug reports and pull requests to further refine this new version.

Microsoft is phasing out Claude Code licenses for its internal staff to prioritize GitHub Copilot CLI. While Claude Code was popular for its agentic capabilities, Microsoft aims to consolidate developer workflows around its own GitHub-integrated tooling, citing both operational efficiency and long-term product development goals. Anthropic models remain accessible via Copilot CLI and other products.

Users can now subscribe to GitHub status updates via email or SMS. Email notifications cover incident updates, while SMS notifications are specifically for the creation and resolution of incidents. A phone number verification process is required to enable text message alerts, while email subscription can be activated immediately.

The GitHub Status page tracks service uptime and reliability, currently showcasing a record-breaking streak of consecutive days without incidents for 2026. This metric highlights the platform's commitment to stable infrastructure and operational excellence for developers relying on GitHub for critical workflows and version control.

U.S. lawmakers are questioning CISA after a contractor leaked sensitive plaintext credentials and AWS GovCloud keys on a public GitHub repository. Despite efforts to invalidate these secrets, concerns remain regarding security culture and oversight, as experts note that adversaries may have already accessed the exposed data, potentially compromising critical federal infrastructure.

The author argues that GitHub has declined in quality under Microsoft's ownership, citing increased downtime and an overwhelming influx of AI-generated content. They urge developers to migrate to decentralized or alternative Git forges like Codeberg, Gitea, or self-hosted solutions, emphasizing that Git is independent of GitHub, which is merely a centralized convenience.

GitHub is resolving degraded availability for Actions Jobs on Hosted Runners in the East US region. While Standard Hosted Runners are showing signs of recovery following mitigation efforts, users with Private Networking remain impacted as Azure works to restore capacity. Users are advised to fail over to alternative regions to mitigate ongoing queue delays and job failures.

The author customized the jj (Jujutsu) version control system to generate more descriptive Git branch names. By creating a custom 'slugify' template alias, the user now incorporates commit descriptions into bookmark names instead of relying on default change IDs, significantly improving readability and project tracking when viewing repositories on platforms like GitHub.

The threat group TeamPCP, also known as UNC6780, claims to have breached GitHub’s internal systems, compromising approximately 4,000 private repositories. GitHub has confirmed an investigation but reports no evidence that customer data was affected. TeamPCP is a sophisticated, financially motivated actor known for major supply chain attacks targeting critical development and security tools.

The author discovered a subdomain takeover vulnerability on their domain caused by loose DNS configurations pointing to GitHub Pages. Because the domain was not verified on GitHub, an unauthorized user exploited it to host malicious content. The author recommends that GitHub implement stricter domain verification to prevent such subdomain takeovers in the future.