GITHUB rejected two vulnerability reports from Deep Specter Research concerning design flaws that may allow variants of the Shai-Hulud supply-chain worm to compromise numerous software packages and developer accounts globally. These reports were deemed ineligible and not a security risk, despite the ongoing threat posed by the worm.
Originating from the TeamPCP cybercrime group, these variants have been linked to significant breaches at organizations including the European Commission, AI firm Mercor, the LiteLLM package, GitHub itself, and Red Hat.