🚨 GitHub RCE Exposed & North Korea Weaponizes AI Against Devs

Two major security stories broke this week that every developer and security team needs to know about. From a critical GitHub vulnerability to AI-powered nation-state attacks, here's what happened.

Critical GitHub RCE Could Have Compromised Millions of Repos

Security researchers at Wiz discovered CVE-2026-3854, a critical remote code execution vulnerability in GitHub's infrastructure with a CVSS score of 8.7. The flaw allowed any authenticated user to execute arbitrary code on GitHub.com's shared storage nodes—systems that host millions of cross-tenant repositories. By chaining header injection attacks through GitHub's internal git pipeline, attackers could bypass security sandboxes and gain full control.

The good news? GitHub patched GitHub.com within 6 hours of disclosure. The bad news? A staggering 88% of GitHub Enterprise Server instances remain vulnerable. If your organization runs GHES, you need to upgrade immediately to versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, or 3.19.3. This isn't just a theoretical risk—it's a code execution vulnerability on one of the world's most critical software platforms.

Read more about the GitHub RCE

North Korea Is Using AI to Industrialize Cyberattacks on Developers

In what security firm Expel calls a "vibe-coded" threat campaign, North Korean hackers are now using ChatGPT and AI coding assistants to mass-produce sophisticated attacks targeting Web3 developers. The operation, tracked as HexagonalRodent, posed as recruiters and sent backdoored coding assessments that automatically execute malware when developers open them in VSCode.

The scale is alarming: in Q1 2026 alone, these AI-enhanced attacks compromised 2,726 developer systems and exfiltrated 26,584 cryptocurrency wallets worth up to $12 million. The malware blends seamlessly into legitimate developer workflows, using Node.js and Python interpreters that security tools struggle to inspect. Even more concerning, the attackers are using AI to generate convincing front-company websites and job postings, making the scams nearly indistinguishable from real opportunities.

If you're a developer—especially in the crypto space—never run take-home coding assessments outside of a disposable VM, disable VSCode's auto-run tasks, and use hardware security tokens for your wallets.

Read more about the North Korea AI attacks

Stay ahead of threats with GOCO Security at gocosecurity.com