Articles tagged credential-theft on devtake.dev.https://devtake.dev/en-ushttps://devtake.dev/article/vscode-zero-day-github-token-theft/https://devtake.dev/article/vscode-zero-day-github-token-theft/A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.Wed, 03 Jun 2026 13:15:00 GMTsecuritysecuritygithubcredential-theftdev-toolsrcesupply-chainoauthluca-reinhardthttps://devtake.dev/article/minecraft-weedhack-malware/https://devtake.dev/article/minecraft-weedhack-malware/McAfee says a free malware-as-a-service stealer called WeedHack has hit 116,000+ Minecraft systems via fake mods and cheats. Here's what it grabs and how to clean up.Wed, 03 Jun 2026 11:00:00 GMTgaminggamingminecraftmalwaresecuritycredential-theftinfostealersupply-chainhiro-tanakahttps://devtake.dev/article/shinyhunters-7-eleven-breach-185k/https://devtake.dev/article/shinyhunters-7-eleven-breach-185k/ShinyHunters breached a 7-Eleven Salesforce instance holding franchisee documents, exposing 185,000 people. The 9.4GB archive hit a leak site after 7-Eleven declined to pay.Wed, 27 May 2026 18:35:00 GMTsecuritysecuritydata-breachshinyhunterssalesforceextortioncredential-theftluca-reinhardthttps://devtake.dev/article/microsoft-internal-account-spam-abuse/https://devtake.dev/article/microsoft-internal-account-spam-abuse/Spammers found a Tenant Name injection in Entra ID that pushes fraud text into Microsoft's own OTP emails. The from-line reads msonlineservicesteam@microsoftonline.com.Mon, 25 May 2026 12:00:00 GMTsecuritysecuritymicrosoftentra-idphishingdmarcspamhausemail-securitycredential-theftluca-reinhardthttps://devtake.dev/article/github-internal-repos-breach-vscode-extension/https://devtake.dev/article/github-internal-repos-breach-vscode-extension/GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.Fri, 22 May 2026 10:15:00 GMTsecuritysecuritygithubvscodesupply-chaincredential-theftdev-toolsluca-reinhardthttps://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/https://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.Thu, 21 May 2026 11:15:00 GMTsecuritysecuritycisagithubsupply-chaincredential-theftawsgitguardiangovcloudluca-reinhardthttps://devtake.dev/article/akhter-twins-opexus-database-deletion/https://devtake.dev/article/akhter-twins-opexus-database-deletion/A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'Fri, 15 May 2026 09:00:00 GMTsecuritysecurityinsider-threatopexuseeoccredential-theftfoiapolicysupply-chainluca-reinhardthttps://devtake.dev/article/tanstack-npm-supply-chain-postmortem/https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.Tue, 12 May 2026 10:15:00 GMTsecuritysecuritysupply-chainnpmtanstackgithub-actionscredential-theftdev-toolsluca-reinhardthttps://devtake.dev/article/chinese-grey-market-claude-api-stolen-credentials/https://devtake.dev/article/chinese-grey-market-claude-api-stolen-credentials/A ChinaTalk investigation reveals how 'transfer stations' resell Anthropic API access using stolen credentials, model substitution, and prompt harvesting.Sun, 10 May 2026 09:30:00 GMTaianthropicclaudeai-securitycredential-theftchinasupply-chainai-modelsdieter-morellihttps://devtake.dev/article/vibe-coded-apps-expose-corporate-data/https://devtake.dev/article/vibe-coded-apps-expose-corporate-data/RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.Sat, 09 May 2026 08:00:00 GMTsecuritysecurityai-securityai-agentsdev-toolssupply-chainprivacycredential-theftluca-reinhardthttps://devtake.dev/article/instructure-canvas-breach-shinyhunters-275m/https://devtake.dev/article/instructure-canvas-breach-shinyhunters-275m/ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.Fri, 08 May 2026 09:00:00 GMTsecuritysecuritydata-breachinstructurecanvasshinyhunterseducationsupply-chaincredential-theftluca-reinhardthttps://devtake.dev/article/microsoft-edge-cleartext-passwords-memory/https://devtake.dev/article/microsoft-edge-cleartext-passwords-memory/A researcher showed Edge decrypts the entire password vault at launch and leaves it in process memory. Chrome decrypts on demand. Microsoft says it's intentional.Tue, 05 May 2026 08:45:00 GMTsecuritysecuritymicrosoftedgebrowser-securitycredential-theftchromiumpasswordsprivacyluca-reinhardthttps://devtake.dev/article/pytorch-lightning-pypi-compromise-mini-shai-hulud/https://devtake.dev/article/pytorch-lightning-pypi-compromise-mini-shai-hulud/Two malicious lightning releases hit PyPI on April 30. The 42-minute window was enough to ship an RSA-encrypted infostealer to ML developers worldwide.Sat, 02 May 2026 09:00:00 GMTsecuritypytorch-lightningpypisupply-chainmini-shai-huludcredential-theftpythonmlsecurityluca-reinhardthttps://devtake.dev/article/cpanel-whm-auth-bypass-cve-2026-41940/https://devtake.dev/article/cpanel-whm-auth-bypass-cve-2026-41940/cPanel shipped fixes April 28 for a CVSS 9.8 auth bypass that walks attackers into shared-hosting panels with no password. WatchTowr says exploitation started before the patch.Fri, 01 May 2026 11:25:00 GMTsecuritysecuritycpanelweb-hostingcve-2026-41940auth-bypasswatchtowrcredential-theftsupply-chainluca-reinhardthttps://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/https://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.Tue, 28 Apr 2026 16:30:00 GMTsecuritynpmsupply-chaincanisterwormsecuritynamastexteampcppypicredential-theftluca-reinhardthttps://devtake.dev/article/gpt-proxy-npm-supply-chain/https://devtake.dev/article/gpt-proxy-npm-supply-chain/Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.Sat, 25 Apr 2026 07:30:00 GMTsecuritysupply-chainnpmpypiai-securitymalwarellmchinacredential-theftluca-reinhardthttps://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/https://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/A malicious @bitwarden/cli@2026.4.0 hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.Thu, 23 Apr 2026 19:00:00 GMTsecuritybitwardenshai-huludnpmsupply-chainwormcredential-theftcheckmarxcicdluca-reinhardt