RSS

Pythagora-Io/GPT-Pilot Compromised Credential Stealer Blocked by Python Linter

kurmiashish1 pts1 comments

🚨 Security Alert: Main branch compromised with Shai-Hulud credential stealer via force-push · Issue #1182 · Pythagora-io/gpt-pilot · GitHub

//voltron/issues_fragments/issue_layout" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//voltron/issues_fragments/issue_layout;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Pythagora-io

gpt-pilot

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>3.5k

Star<br>33.7k

🚨 Security Alert: Main branch compromised with Shai-Hulud credential stealer via force-push #1182

New issue<br>Copy link

New issue<br>Copy link

Open

Open<br>🚨 Security Alert: Main branch compromised with Shai-Hulud credential stealer via force-push#1182

Copy link

Labels<br>bugSomething isn't workingSomething isn't working

Description

ashishkurmi<br>opened on Jun 8, 2026

Issue body actions

On June 8, 2026 at 11:01 UTC, the LeonOstrez GitHub account (a Pythagora co-founder) was compromised and used to force-push a credential-stealing payload to the main branch. The repository had no branch protection rules configured on main, which allowed the force-push without review or approval.

The attacker injected three files into core/telemetry/: _hooks.py (Python loader), _runtime.bin (758KB obfuscated JavaScript credential stealer), and modified __init__.py to trigger the malware on module import via a daemon thread. The malicious commit was backdated to August 24, 2025 to blend into the repository history.

The payload is a variant of the Shai-Hulud malware family (attributed to TeamPCP/UNC6780), which has compromised repositories maintained by Microsoft, Red Hat, and Mistral AI in 2026. It targets AWS keys, npm tokens, GitHub secrets, Kubernetes service accounts, HashiCorp Vault tokens, and SSH keys. It uses GitHub commit messages as a C2 channel and plants persistence hooks in Claude Code and VS Code.

The attacker attempted two force-pushes. Both were blocked by ruff in CI due to formatting and lint violations in the injected code.

Recommended Immediate Actions

Rotate all credentials for the LeonOstrez account and audit account access logs

Enable branch protection rules on main (require PR reviews, disallow force-pushes)

Verify the current main branch matches the clean pre-attack HEAD (53154df1c66b)

Any developer who cloned or pulled between 11:01 UTC and the revert should check for:

core/telemetry/_hooks.py

core/telemetry/_runtime.bin

/tmp/rt-* directories

.loader.lock files

Persistence hooks in .claude/settings.json and .vscode/tasks.json

Indicators of Compromise

File<br>Algorithm<br>Hash

_runtime.bin<br>SHA256<br>c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077

_runtime.bin<br>MD5<br>7090625f760b831d607c9a38cfc58c4b

_hooks.py<br>SHA256<br>51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc

_hooks.py<br>MD5<br>a722b89f887f226672d0ee4f708794f8

Key Commits:

Malicious "Revert" commit: 065ee8ebee7385cb644fd1608587a18edb91f4fb

Clean "Revert" commit (legitimate): 566fbb120bc436385aa5a4cb93d7c351dec2127e

Pre-attack HEAD (clean): 53154df1c66b42021f230c3fb6ef797c4b7c3e83

C2 Indicators:

C2 marker: thebeautifulsnadsoftime

Exfiltration identity: claude@users.noreply.github.com

Russian locale check: exits if system locale includes "ru"

📖 Full technical analysis: https://www.stepsecurity.io/blog/pythagora-io-gpt-pilot-compromised-on-github-shai-hulud-credential-stealer-blocked-by-python-linter

Reactions are currently unavailable

Metadata<br>Metadata<br>Assignees

No one assigned

Labels

bugSomething isn't workingSomething isn't working

Type

No type

Fields<br>Give feedback

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

You can’t perform that action at this time.

compromised credential main branch force stealer

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.