solrith·hace 7 meses·discussOn the follow up Wiz blog they suggested that the exfiltration was cross-victim https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-sup...
solrith·hace 7 meses·discussThe Torvalds commits were a common post infection signature, common in the random repos that published secrets (Microsoft documented https://www.microsoft.com/en-us/security/blog/2025/12/09/sha...)It was a really noisy worm though, and it looked like a few actors also jumped on the exposed credentials making private repos public and modifying readmes promoting a startup/discord.
solrith·hace 9 meses·discussBridge/Blend was cool shame it was restricted to Playbooks and desktop software. Slipstream had some pretty solid ideas.