// #ci-cd
4 articles
VS Code Adds Two-Hour Extension Auto-Update Delay to Reduce Supply Chain Attack Window
Microsoft has released VS Code 1.101 with a configurable two-hour delay on automatic extension updates. The change is a direct response to supply chain attacks in which malicious updates were pushed to popular extensions, executing on developer machines within minutes of publication. The delay gives security teams a detection window before malicious updates execute across the developer fleet.
GitHub Enterprise Server CVE-2026-3854 — Critical RCE via Single Git Push, No Authentication Required
CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.
Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction
CVE-2026-42523, rated CVSS 9.0, is a stored cross-site scripting vulnerability in the Jenkins GitHub Plugin 1.46.0 and earlier. Exploitation allows an attacker with job creation rights to inject malicious JavaScript that executes in the browser of any Jenkins administrator who views the affected job — enabling session hijacking, secret extraction, and full pipeline takeover. Update to GitHub Plugin 1.46.1 or later.
Vercel Confirms Breach via Compromised AI Tool — Developer Environment Variables and Credentials Exposed
Cloud deployment platform Vercel has confirmed a breach traced to a Lumma infostealer infection at Context.ai, a third-party AI tool used by a Vercel employee. Attackers used the stolen Google Workspace OAuth access to reach Vercel's internal environments, exposing environment variables and a limited set of customer credentials. ShinyHunters is claiming responsibility and demanding $2 million for the stolen data.