A supply chain attack campaign utilizing sleeper packages has been identified, distributing malicious payloads that enable credential theft, GitHub Actions tampering, and SSH persistence mechanisms. The attack is attributed to the GitHub account 'BufferZoneCorp' which has published malicious Ruby gems and Go modules.

A critical security vulnerability (CVE-2026-3854, CVSS 8.7) has been disclosed affecting GitHub.com and GitHub Enterprise Server. The flaw is a command injection issue allowing authenticated users with repository push access to achieve remote code execution through a single git push command.