devtake.dev
AI Security Hardware Open Source Policy Apple

#github

RSS

GitHub news: Copilot changes, Actions incidents, supply-chain events, and platform announcements out of Microsoft.

Related: #dev-tools · 8 #open-source · 6 #supply-chain · 6 #microsoft · 5 #security · 5 #ai-agents · 3 #credential-theft · 3 #rce · 3 #86-dos · 2 #anthropic · 2
Visual Studio Code logo on a dark background
Security·

VS Code's webview sandbox leaks GitHub tokens that read and write every private repo

A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.

The microsoft/coreutils GitHub repository page
Open Source·

Microsoft is shipping Linux's core commands on Windows, built in Rust

Microsoft's Coreutils for Windows brings native ls, cp, and grep to Windows, built on the Rust uutils project. Here's what it is and why the Rust rewrite matters.

GitHub and Windows security composite with a warning overlay
Security·

GitHub banned the researcher dropping Windows zero-days. The code was already mirrored everywhere.

GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?

A scan of the 86-DOS changelist from Tim Paterson's 1981 assembler printout, the kind of artifact Microsoft released under MIT on April 28.
Open Source·

Microsoft just open-sourced 86-DOS. Tim Paterson's 45-year-old listings are now on GitHub under MIT.

Yufeng Gao and Rich Cini scanned Tim Paterson's 1981 assembler printouts. Microsoft pushed them to DOS-History/Paterson-Listings on April 28, the 45th anniversary.

Portrait of Andrej Karpathy, whose January 26 X thread on agentic coding was distilled into the viral CLAUDE.md file.
AI·

Karpathy posted four notes about Claude Code. The CLAUDE.md they spawned has 110K GitHub stars.

Forrest Chang turned Andrej Karpathy's January coding thread into a 70-line CLAUDE.md. It now has 110,000+ stars and has trended on GitHub for 28 weeks.

GitHub security blog header showing the GitHub Octocat logo on a backdrop of black security blocks.
Security·

GitHub's internal repos were breached. The attacker came in through a poisoned VS Code extension.

GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.

CISA logo and seal of the U.S. Cybersecurity and Infrastructure Security Agency
Security·

A CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.

GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.

RPCS3 project logo on a solid black background, from the official rpcs3.net press graphic
Open Source·

RPCS3's maintainers will ban contributors who submit undisclosed AI pull requests

The PS3 emulator project posted on X on May 10, citing 'AI slop' that has been clogging review. The hard line: ban-on-sight if you don't disclose.

Stylized GitHub Copilot mascot melting into glowing puddles in front of a wall of flames — a visual metaphor for the steep multiplier hike on annual plans.
AI·

GitHub Copilot's Claude Opus multiplier jumps to 27x on June 1. Monthly plans dodge the hike.

GitHub's new model multiplier table for Copilot Pro and Pro+ annual plans lands June 1. Opus 4.6 goes 3 to 27. Sonnet 4.6 goes 1 to 9.

A page of the original 86-DOS 1.00 assembler listing showing handwritten changelist annotations
Open Source·

Microsoft open-sourced the earliest known DOS code, transcribed from a stack of Tim Paterson's printouts.

MIT-licensed at GitHub on April 28, the 86-DOS 1.00 kernel and PC-DOS development snapshots were OCR'd from 45-year-old assembler listings.

Open-source illustration showing a stylized icon for collaborative software development.
Open Source·

Mitchell Hashimoto is pulling Ghostty off GitHub. The reason is daily outages.

Ghostty's creator has tracked GitHub outages every workday for months. After 18 years on the platform, he's moving the project. A read-only mirror stays.

GitHub branding image used by Wiz Research in their CVE-2026-3854 writeup.
Security·

Wiz found an RCE in GitHub's git-push pipeline. The patch shipped in six hours.

CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.

GitHub Octocat mark on a dark gradient, the cover graphic on the GitHub Blog post announcing the Copilot billing change.
AI·

GitHub Copilot kills premium requests on June 1. Token billing arrives, fallback models do not.

On June 1 every Copilot plan switches to GitHub AI Credits priced per token. Code completions stay free. Fallback models and credit rollover do not.

GitHub OG card for the StarScout research repository from Carnegie Mellon
Open Source·

Inside GitHub's fake star economy: 6 million bought stars and how to spot them

A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.

GitHub repository page for the PLFM_RADAR Aeris-10 project
Hardware·

A $5,000 open-source radar that sees 20 km, built by one engineer in Morocco

Nawfal Motii's Aeris-10 phased-array radar beats $250,000 commercial systems at 3% of the cost. Hardware, firmware, and FPGA bitstream are all on GitHub.