The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Wednesday 29 April 2026

One Git Push to Own GitHub: CVE-2026-3854 Is the RCE Flaw Defenders Need to Patch Now

A critical GitHub RCE flaw lets any authenticated user pop a shell with one git push — and that's just the start of a busy day in security.

Lead story

One Git Push to Own GitHub: CVE-2026-3854 Is the RCE Flaw Defenders Need to Patch Now

Researchers have disclosed a critical remote code execution vulnerability in both GitHub.com and GitHub Enterprise Server that requires almost no sophistication to exploit. CVE-2026-3854 scores 8.7 on the CVSS scale, and the attack path is brutally simple: any authenticated user with push access to a repository can trigger command injection and achieve RCE on the server. No chained exploits, no phishing, no waiting — just a single git push.

What's actually happening here

The flaw is a command injection bug rooted in how GitHub processes certain inputs during a push operation. When the server handles the incoming data, it doesn't adequately sanitise attacker-controlled strings before passing them to a system command. The result is that an attacker can embed shell commands that execute in the server's context.

"Authenticated with push access" sounds like a high bar, but it isn't. Free GitHub accounts can push to their own repos or to any repo where a maintainer has granted collaboration rights. In enterprise environments, where hundreds of developers share access to monorepos, the blast radius of a compromised account — or a malicious insider — is enormous.

Why this one matters more than most

GitHub is the connective tissue of modern software. Your CI/CD pipelines, your dependency graphs, your infrastructure-as-code — all of it flows through git. An attacker who can execute code on a GitHub Enterprise Server instance doesn't just get one codebase; they get the keys to every repository the server hosts, every secret stored in Actions, and potentially every downstream deployment pipeline those repos feed.

For organisations running self-hosted GitHub Enterprise Server, this is a patch-now situation. GitHub.com is a managed service and presumably patched already, but on-premises deployments require action from the operating organisation.

The supply-chain angle

This vulnerability lands in a week already saturated with supply-chain concerns — 73 malicious GlassWorm extensions seeded into OpenVSX, a poisoned element-data npm package with a million monthly downloads, and ongoing targeting of developer tooling. The pattern is consistent: attackers are going after the build environment, not the production environment. Compromise the place where code is written and reviewed, and you get everything downstream for free.

What to watch

GitHub has not yet confirmed whether CVE-2026-3854 has been actively exploited in the wild. Given the straightforward attack path, that silence shouldn't be read as reassurance. Organisations should check their GitHub Enterprise Server version, apply the patch immediately, audit recent push activity for anomalies, and rotate any secrets stored in repository settings or Actions secrets.

Australian organisations running GitHub Enterprise Server on-premises — particularly those in financial services, government, and defence supply chains where source code integrity is a SOCI or ISM concern — should treat this as a P1 remediation task. The ACSC's Australian Government Information Security Manual guidance on patch management timelines sets a 48-hour window for critical vulnerabilities with public exploit details. The clock is running.

Also today

VECT Ransomware Is Actually a Wiper — Don't Pay

A new ransomware-as-a-service operation called VECT 2.0 has a critical flaw in its own encryption logic: files larger than 131KB are irreversibly overwritten rather than encrypted, making recovery impossible even for victims who pay. Check Point Research, which published the technical breakdown, traced VECT back to a Russian-language cybercrime forum in late 2025. The group recently announced a partnership with TeamPCP, a known supply-chain threat actor, suggesting it is scaling up. Security teams should treat any VECT infection as a destructive attack and trigger incident response accordingly — there is no decryption key that will help.

Check Point Research

Hugging Face LeRobot Has a 9.3-Severity RCE Flaw — and No Patch

A critical unpatched vulnerability in Hugging Face's LeRobot open-source robotics platform can be exploited by an unauthenticated attacker to achieve remote code execution. CVE-2026-25874 scores 9.3 and stems from unsafe deserialisation of untrusted data — a classic class of bug that keeps recurring because deserialisation is hard to get right. LeRobot has nearly 24,000 GitHub stars and is widely used in robotics research and experimentation. With no patch available yet, anyone running LeRobot should isolate it from public networks and treat inbound data sources as untrusted until a fix lands.

The Hacker News

GlassWorm Returns With 73 'Sleeper' Extensions in OpenVSX

A fresh wave of the GlassWorm malware campaign has seeded OpenVSX — the open-source alternative to Microsoft's VS Code marketplace — with 73 cloned extensions that appear legitimate on install but turn malicious after a subsequent update. The technique is clever: ship something clean to pass automated scanning, then flip the switch later. Developers using VS Code forks like VSCodium that draw from OpenVSX rather than Microsoft's official registry are most exposed. This is at least the second wave of GlassWorm activity and underscores the growing threat to developer toolchains broadly. Audit your installed extensions and prefer official marketplace sources where possible.

Bleeping Computer

Silk Typhoon Member Extradited to the US From Italy

Xu Zewei, a 34-year-old Chinese national and alleged member of the state-sponsored Silk Typhoon hacking group (previously known as Hafnium), has been extradited to the United States after being arrested in Italy last July. He is accused of conducting cyberattacks against American universities and government agencies between February 2020 and June 2021, targeting COVID-19 research data under the direction of Chinese intelligence services. The extradition is notable because China generally refuses to extradite its nationals, meaning Italy's cooperation represents a meaningful law enforcement win. Silk Typhoon has previously been linked to the exploitation of Microsoft Exchange vulnerabilities at scale.

CyberScoop

Vimeo Confirms Data Exposed via Anodot Third-Party Breach

Vimeo has confirmed that customer and user data was accessed without authorisation following a breach at Anodot, a data anomaly detection vendor the video platform uses. ShinyHunters is threatening to publicly release the stolen files unless Vimeo pays a ransom. Vimeo says video content, login credentials, and payment card data were not accessed. The incident is a textbook example of third-party supply-chain risk: Vimeo's own systems were not compromised, but a vendor's breach became Vimeo's problem. Australian organisations that rely on SaaS analytics vendors should review their third-party risk registers — the SOCI Act's requirements around third-party risk management are directly relevant here.

Bleeping Computer

OpenAI and AWS: Microsoft's Exclusivity Is Over

OpenAI's models, Codex CLI, and a new Managed Agents service are now available on Amazon Web Services, just one day after OpenAI and Microsoft agreed to end their exclusive cloud arrangement. The move means enterprises can now run OpenAI models — including agentic workflows — inside their existing AWS environments, with all the compliance and data-residency controls AWS provides. For AWS customers that have been locked out of OpenAI's best models for architectural reasons, this is a meaningful change. Stratechery's Ben Thompson published an interview with both CEOs unpacking the commercial logic. Australian AWS regions could soon carry OpenAI-powered workloads, which has implications for data sovereignty discussions under Australian Privacy Act reforms.

OpenAI Blog

Musk vs. Altman: The Trial Begins, and It's Already Theatre

Elon Musk took the stand on Tuesday as the first witness in his own lawsuit against OpenAI CEO Sam Altman, a case that could determine whether OpenAI is permitted to complete its conversion to a for-profit company — and, by extension, whether its anticipated IPO proceeds. Musk spent much of his opening testimony recounting his personal history rather than the alleged breach of fiduciary duty at the heart of the case. The trial is happening in Northern California and is expected to run for weeks. The stakes are high: a ruling against OpenAI's restructuring could upend its commercial trajectory at a moment when it is also expanding to AWS and competing with Google for Pentagon contracts.

MIT Technology Review

Australia's Big Tech News Tax: Pay Up or Face a 2.25% Levy

Australia has passed legislation requiring large technology platforms to either negotiate revenue-sharing deals with Australian news publishers or face a 2.25% revenue tax. Platforms that reach enough deals with media outlets will see that effective rate drop to 1.5%. The government estimates the scheme could return between A$200 million and A$250 million annually to Australian journalism. The policy is an evolution of the 2021 News Media Bargaining Code, which relied more heavily on voluntary negotiation. It directly affects the Australian operations of Google, Meta, and other major platforms, and is being watched internationally as a potential model for other countries considering similar frameworks.

TechCrunch

GitHub Copilot Moves to Usage-Based Pricing

GitHub has announced it will shift its Copilot product to a consumption-based billing model, citing "escalating inference costs" from its heaviest users that it can no longer absorb under flat subscription pricing. Developers who use Copilot lightly will likely pay less; power users — those generating thousands of completions daily — will pay more. The change reflects a broader industry reckoning with AI inference economics: the marginal cost of each token is real, and flat-rate pricing works until the heavy users arrive. For Australian software teams that have standardised on Copilot across engineering organisations, this is a budgeting conversation that needs to happen now before the new billing kicks in.

Ars Technica

Schneier: Anthropic's Mythos Is a Security Inflection Point

Bruce Schneier has published a sobering assessment of what Anthropic's Claude Mythos Preview means for the security industry. The model can autonomously find and weaponise software vulnerabilities — including ones in operating systems and internet infrastructure — without expert guidance, turning them into working exploits. Schneier's argument is that this capability doesn't just accelerate existing attack patterns; it structurally changes the economics of vulnerability research by making expert-level exploit development accessible at scale. Defenders, he argues, face a window-closing problem: the buffer between disclosure and exploitation, already shrinking, may effectively disappear. Essential reading for anyone building security programmes right now.

Schneier on Security

PhantomRPC: The Windows Privilege Escalation Trick With No Patch

Researchers have disclosed PhantomRPC, a novel privilege escalation technique affecting Windows that has no patch. The attack works by standing up a fake RPC server that listens for legitimate RPC requests, then impersonates the target service to capture and relay those requests — ultimately escalating the attacker's privileges to SYSTEM level. Because PhantomRPC abuses legitimate Windows RPC plumbing rather than a specific software bug, a traditional CVE-and-patch response may not be straightforward. The disclosure follows a pattern of researchers finding durable, architecture-level privilege escalation paths in Windows that persist across patch cycles. Defenders should monitor for unexpected RPC listener processes and apply least-privilege principles to limit the damage if escalation occurs.

SecurityWeek

Sources consulted