Weekly Security Roundup: Supply Chain, GitHub Controls, PQ SSH

This week’s security updates highlight more sophisticated supply chain attacks and stronger platform controls, with vendor improvements addressing code safety, governance, identity management, and quantum-era risks.

Malicious Extension Threats in Developer Ecosystems

Investigations reveal the WhiteCobra group distributing advanced malicious VSCode and Open VSX Marketplace extensions, following last week’s focus on AI tool security. WhiteCobra employs payloads split across helper files and scripts to circumvent static analysis, with LummaStealer stealing wallets, credentials, and cloud accounts. Automated fake reviews, cross-market spreading (Cursor/Windsurf), and multi-OS payloads escalate risks, including some targeting Ethereum contributors. Experts recommend exacting extension screening, stronger monitoring, and improved supply chain security.

• WhiteCobra Targets Developers with Malicious VSCode Marketplace Extensions
• WhiteCobra’s Malicious VSCode Extensions Pose Major Security Risk for Developers

Enterprise Platform Security: GitHub’s New Controls

GitHub released general availability for enterprise access controls using corporate proxies, supporting compliance by routing traffic behind enterprise firewalls through customized headers—responding to last week’s calls for robust access management and registry controls. Centralized security contacts now coordinate incident alerts for large organizations. Delegated bypass for push protection allows admins to oversee secret exposures and approve exceptions through APIs, streamlining governance and incident response.

• Enterprise Access Restrictions with Corporate Proxies for GitHub Enterprise Cloud Now Available
• Security Contact Email Setting for Enterprise Incident Notifications
• Delegated Bypass Controls for Push Protection Now Available at the Enterprise Level

Preparing for the Quantum Era: Post-Quantum Secure SSH on GitHub

GitHub now defaults to post-quantum secure SSH key exchange for Git operations, using the hybrid sntrup761x25519-sha512 algorithm as of September 17, 2025. Compatible OpenSSH clients (9.0+) are automatically covered, helping protect source code against future quantum threats. The change builds on last week’s progress in encryption and source control safety.

• Post-Quantum Secure SSH Access on GitHub

Securing the Software Supply Chain and Open Source Dependencies

Shai-Hulud, an NPM worm, used typosquatting and replication to compromise Node.js/JavaScript packages, raising publisher and dependency risks. Best practices now include SBOMs, MFA, signed packages, version pinning, and consistent audits—reinforcing supply chain hygiene and earlier DevOps security topics.

• Shai-Hulud Attacks Undermine Software Supply Chain Security

Other Security News

Microsoft updates Purview tools for Fabric, with stricter data protection, DLP, insider risk management, assessment, and better cataloging—mirroring previous access control developments.

• Microsoft Purview Innovations for Fabric: Unifying Data Security and Governance for AI Identity protection tips cover hybrid settings in Active Directory and cloud Entra ID, continuing last week’s advice on hybrid identity, backup, and recovery practices to address evolving risks.
• Protecting Identity in Active Directory & Microsoft Entra