It is the end of June, so it is time to take stock. We maintain a threat feed and a library of post-mortemed breaches, and the first half of 2026 was not quiet. It was the half where several long-building trends stopped being predictions and became Tuesday.
Here is the short version. The software supply chain turned into a worm farm. AI both wrote a record amount of insecure code and found a record number of real bugs. The pipeline that scores the world's vulnerabilities broke under its own volume while attackers got faster than anyone's patch cycle. Secrets kept leaking, now mostly from machines and AI tools. And in crypto, two heists by one country accounted for three-quarters of the money stolen all year.
This is the long version: what happened, the numbers that matter, and what we think you should actually take from it. It is written for humans first - if you are a journalist, a builder, or just someone who wants the real shape of the half without the vendor spin, this is the map.
The half in numbers
- 454,648 new malicious open-source packages in 2025, up 75% year over year - the backdrop to a record half (Sonatype).
- The first npm worms to ship malware with valid SLSA provenance, by stealing CI tokens. Signed no longer means safe.
- 45% of AI-generated code samples shipped with a vulnerability (Veracode).
- 21,000+ CVEs in six months, on pace to break 2025's record - while the NVD stopped scoring older ones.
- Exploitation now runs a median of 7 days ahead of public disclosure (Mandiant), and vulnerability exploitation became the number-one way into a breach for the first time in 19 years (Verizon DBIR).
- 28.65 million secrets leaked to public GitHub in 2025 (+34%); Claude Code commits leak them at roughly twice the human rate (GitGuardian).
- North Korea took about $577 million in two heists - 76% of all crypto stolen in 2026 (TRM Labs).
1. The software supply chain became a worm farm
If H1 2026 has a single headline, this is it. The open-source supply chain stopped being a place where someone occasionally slips a malicious package past review, and became a place where malware replicates on its own.
The numbers set the stage. Sonatype counted 454,648 new malicious open-source packages in 2025, up 75% year over year, against 9.8 trillion package downloads (itself up 67%). ReversingLabs measured a 73% jump in malicious-package detections, with npm accounting for roughly 90% of it. These are not comparable apples - each vendor measures its own telescope - but every telescope points the same way: up and to the right, steeply.
What changed in 2026 is the mechanism. The "Shai-Hulud" worm that first appeared on npm in late 2025 - steal a maintainer's token, enumerate all their packages, inject a malicious install hook, republish, repeat - matured into a whole lineage. Its November 2025 sequel hit 796 npm packages across 1,092 versions and spawned 25,000+ malicious GitHub repos. Then, in May 2026, the worm's source code was published openly, and the copycats arrived.
A few that defined the half:
- axios (March 31). A North-Korea-nexus actor (Microsoft calls it Sapphire Sleet; Google's Mandiant calls it UNC1069) socially engineered the lead maintainer of axios - a package with over 100 million weekly downloads - through a fake Microsoft Teams call and a staged "your client is out of date" prompt that installed a remote-access trojan. The attacker then published two trojanized releases that pulled in a phantom dependency,
plain-crypto-js, whose only job was apostinstallhook dropping a cross-platform RAT. The malicious window was about three hours. On a 100M-download package, three hours is plenty. - Red Hat "Miasma" (June 1). Attackers compromised a Red Hat employee's GitHub account - the credentials had been sitting in commercial infostealer logs for roughly seven weeks - and used it to ship 32
@redhat-cloud-servicespackages carrying valid SLSA provenance. The payload swept GCP, Azure, AWS, Kubernetes service-account tokens and HashiCorp Vault, hooked into Claude Code, Codex, Gemini and Copilot configs, and carried a dead-man switch that wipes the victim's home directory if the stolen token is revoked. - Megalodon (May 18). In a single six-hour window, an attacker backdoored the GitHub Actions workflows of 5,561 repositories to exfiltrate CI secrets.
The scary new primitive worth understanding, because it changes how you reason about trust: OIDC trusted-publishing abuse. Trusted publishing was supposed to be the fix - it removes long-lived tokens from CI and signs releases with short-lived, attested identity. But by stealing the OIDC token out of a CI runner's memory (the worms read /proc/<pid>/mem to grab anything marked "isSecret":true, which neatly defeats log masking), the attackers publish their malware through the legitimate trusted-publishing path. The TanStack compromise in May was the first documented worm to ship npm packages with valid SLSA Build L3 provenance. The @antv wave did it across 323 packages in about an hour. Red Hat's Miasma did it with a vendor's own name on the box.
The lesson is uncomfortable and it is the most important technical shift of the half: a valid signature and a green provenance badge no longer mean a package is safe. They mean it came through the expected door. The expected door is now part of the attack surface.
It was not only npm. The same playbook hit PyPI (the "Hades" wave, geo-targeted wipers in Microsoft's own durabletask), Docker Hub (Checkmarx's own KICS images were overwritten with credential stealers), VS Code and OpenVSX (GlassWorm, the first self-propagating editor extension worm, hiding code in invisible Unicode and pulling its command-and-control from the Solana blockchain), RubyGems (which suspended new signups entirely after a flood), and even the Arch Linux AUR. Our case studies cover the canon of supply-chain attacks this lineage descends from - event-stream, xz/liblzma, SolarWinds - and the through-line is the same: you do not have to be the target to be a victim.
2. AI is now writing the vulnerabilities - and finding them
Two things became undeniable in H1 2026, and they pull in opposite directions.
AI writes insecure code, at scale. Veracode's GenAI study found that 45% of AI-generated code samples contained a vulnerability, and that newer, larger models were not measurably safer than older ones. Cross-site scripting failed 86% of the time; log injection 88%. Apiiro tracked AI-assisted code introducing 10,000+ new security findings a month by mid-2025, a tenfold rise, and AI-assisted developers exposing cloud credentials at roughly twice the baseline rate. Endor Labs found that 80% of AI-suggested dependencies carry some risk, and about a third of them are pure hallucinations - package names the model invented that do not exist.
That last point is its own attack class now: slopsquatting. Because models hallucinate the same fake package names reproducibly, attackers pre-register them. One 2026 study found 127 package names that five different frontier models all invent identically; 53 were still registrable. An AI agent that runs npm install on a hallucinated name fetches whatever the attacker put there, before a human ever reads the diff. We wrote the vibe coder's security checklist about exactly this gap: the guardrails that used to catch insecure code were people, and the agent removed them from the loop.
AI also finds real bugs, at scale. Anthropic's Frontier Red Team turned a model loose on 1,000+ open-source projects and surfaced 23,019 issues, 6,202 of them high or critical, with over 99% still unpatched at publication. It autonomously discovered and exploited a 17-year-old unauthenticated root remote-code-execution bug in FreeBSD's NFS implementation. XBOW, an autonomous AI pentester, hit #1 on HackerOne's US leaderboard and filed roughly 1,060 vulnerabilities in 90 days. Whatever you believe about the hype, the capability is real and it is asymmetric: defenders and attackers both got a vulnerability-finding machine this year.
And there is a third, dumber consequence: AI noise is drowning the people who used to find bugs by hand. The curl project ended its HackerOne bounty program in February after AI-generated slop reached about 20% of submissions while genuine findings fell below 5%. HackerOne's overall valid-submission rate dropped from around 15% to under 5%. The signal is still there. It is just buried.
3. The CVE landscape: more holes, less triage, faster exploitation
More than 21,000 CVEs were published in the first half of 2026, on pace to break 2025's record of 48,185 (itself up 21%). The FIRST forecast puts the full-year median near 59,000 and says 70,000 to 100,000 is "entirely possible."
Here is the problem hiding inside that growth. In April, NIST quietly gave up trying to keep up. The National Vulnerability Database stopped enriching CVEs published before March 1, 2026 - it will now only fully analyze a vulnerability if it is in CISA's Known Exploited list, runs in federal software, or counts as "critical software." At the peak of the backlog, more than 93% of new CVEs sat unanalyzed. The single most-used source of "how bad is this CVE" data, for most of the world's tooling, is now structurally behind. If your security depends on someone else scoring your vulnerabilities for you, that someone has left the building.
Meanwhile, exploitation got faster than patching. Mandiant's M-Trends 2026 reports that the time-to-exploit metric has gone negative: attackers are now hitting vulnerabilities a median of seven days before they are publicly disclosed, and the hand-off from initial access to the next stage is down to 22 seconds (it was over eight hours in 2022). For the first time in the 19-year history of Verizon's Data Breach Investigations Report, vulnerability exploitation (31%) overtook stolen credentials as the number-one way in. Google's threat group counted 90 zero-days exploited in the wild in 2025, nearly half of them against enterprise gear - edge devices, VPNs, firewalls - which remain the single most-attacked category, and exactly the boxes nobody patches on time.
The half's signature mass-exploitation event was CVE-2026-41940, a cPanel and WHM authentication bypass (CVSS 9.8) that let a CRLF injection forge a root session and skip both password and 2FA. It was exploited in the wild from around February 23, a true zero-day for about two months before the late-April patch, against an estimated 1.5 million internet-facing instances. June's Patch Tuesday, with 200 CVEs and six zero-days, was the largest in the program's history.
4. Secrets are everywhere, and most of them are machines
GitGuardian found 28.65 million new hardcoded secrets pushed to public GitHub in 2025, up 34% - the biggest single-year jump on record - and 64% of the secrets it flagged back in 2022 are still valid today. The fastest-growing leak categories are almost all tied to AI services: leaked AI-service secrets jumped 81% to over 1.27 million, including 113,000 DeepSeek keys. And the most quotable stat of the half: commits co-authored by Claude Code leak secrets at about 3.2%, roughly twice the human baseline. The tool that writes your code is also, statistically, more likely to commit your keys.
Underneath that is a shift in who your identities even belong to. By CyberArk's count, machine identities now outnumber humans 82 to 1, 42% of them hold privileged access, and 88% of organizations still define "privileged user" as a human being. You cannot protect what your mental model does not include.
5. Crypto: one country, two heists, three-quarters of the money
If you want the cleanest illustration of how concentrated this game has become, look at crypto. According to TRM Labs, two attacks accounted for 76% of all crypto-hack value in 2026 - and both were North Korea.
- Drift Protocol (April 1): roughly $285 million. Multisig signers were socially engineered, then the attacker abused Solana durable nonces.
- KelpDAO / LayerZero (April 18): roughly $290 million. Poisoned RPC nodes funneled into a single-verifier bridge flaw. TRM and the FBI-aligned cluster attribute it to TraderTraitor, the Lazarus sub-group.
Combined, that is about $577 million from two incidents that made up only 3% of the year's hack count. DPRK's all-time crypto theft now sits above $6 billion. And note the overlap with section 1: the same North Korean apparatus that drains bridges also compromised axios. Crypto theft and supply-chain attacks are not separate beats anymore; they are the same actors with different tools. The neither-here-nor-there lesson for everyone else: the money is moving toward a small number of extremely capable, state-backed crews, and they are equally happy to take it from a DeFi bridge or from your node_modules.
6. The incidents that defined the half
A few more that belong in the record, beyond the supply chain:
- Salt Typhoon (China) is, per the FBI, "still very much ongoing" inside 200+ organizations across 80 countries - AT&T, Verizon, T-Mobile, Lumen and more - sitting on call records, texts, and the audio of senior US officials, reached through edge Cisco routers.
- The Stryker wiper (March 11) was not ransomware at all: an Iran-nexus actor used one stolen Microsoft Intune admin credential to issue a mass remote-wipe of roughly 200,000 devices across 79 countries. No malware. Just a privileged credential and a management console doing exactly what it was built to do.
- ShinyHunters / "Scattered LAPSUS$ Hunters" ran a year-long extortion campaign through misconfigured Salesforce portals and OAuth-token abuse, with claims into the billions of records; the Instructure/Canvas exposure alone touched an estimated 275 million people.
- Ransomware kept climbing despite takedowns - 400+ claimed victims in Q1 alone, a nine-day EHR outage at a Mississippi medical center - even as law enforcement seized the FirstVPN service used by at least 25 ransomware gangs and deanonymized its users.
What we can learn from the first half of 2026
Strip away the individual stories and the half teaches a handful of durable things. If you only keep one section, keep this one.
Provenance is not safety. Signed, attested, "trusted-published" packages shipped malware this year through the legitimate path. A signature proves origin, not intent. Verify behavior - install hooks, network calls, what a dependency actually does - not just the badge on the box.
Your build pipeline is production. Every marquee supply-chain attack ran through CI: stolen runner memory, poisoned caches, mutable action tags. Pin GitHub Actions to full commit SHAs, not tags. Treat the CI runner as a machine that holds every secret you own, because it does.
Speed is the whole game now. Attackers exploit a median of seven days before disclosure and pivot in 22 seconds; the database meant to score vulnerabilities is months behind. You cannot win that race by waiting for someone else to tell you a CVE is bad. You win it by knowing what is in your code and whether the vulnerable path is even reachable - before the patch, not after.
AI is a co-author, treat it like a junior. It writes vulnerable code about half the time, hallucinates dependencies a third of the time, and leaks secrets at twice the human rate. None of that means stop using it. It means the review that a senior used to do still has to happen - now on the machine's output, automatically, on every change.
The controls work; adoption is the gap. The one genuinely good-news number of the half: PyPI malware fell 43% and NuGet 60% year over year, after both made 2FA and trusted publishing mandatory. The playbook to shrink this exists. Only about 14% of previously-compromised npm packages have adopted it. The hard part was never knowing what to do.
You do not have to be the target to be the victim. axios, Red Hat, the 5,561 repos in Megalodon - almost no one in those blast radii was singled out. They consumed something that consumed something that got compromised. In 2026, your attack surface is everyone you depend on, transitively, all the way down.
That last one is the reason we built Stateward. Every incident above is a lesson someone learned the hard way and post-mortemed in public; we keep that library current and check your code and dependencies against it on every pull request - reachability first, so you hear about the vulnerable path that actually touches your code, not the 200 that do not. The first half of 2026 made the case better than we could: the gap between "a vulnerability exists somewhere in your supply chain" and "it reaches you" is the only gap that matters, and it is closing fast.
We will do this again at the end of the year. On current trajectory, there will be plenty to write about.
Frequently asked questions
What were the biggest cybersecurity stories of the first half of 2026?
The defining story was the software supply chain turning into self-replicating worms (the Shai-Hulud lineage) that ship malware with valid signatures by abusing OIDC trusted-publishing, hitting axios, Red Hat, and 5,561 repositories in the Megalodon campaign. Alongside it: AI writing insecure code at scale, the NVD falling months behind on CVE analysis, exploitation outrunning patching, and North Korea dominating crypto theft.
How much cryptocurrency was stolen in 2026?
According to TRM Labs, North Korea alone took roughly $577 million across just two heists - Drift Protocol (about $285M on April 1) and KelpDAO / LayerZero (about $290M on April 18) - which was around 76% of all crypto-hack value in 2026, from only 3% of the incidents. DPRK's all-time crypto theft is now above $6 billion.
What was the biggest software supply-chain attack of 2026?
There was no single one; the story is the Shai-Hulud worm lineage and its copycats abusing OIDC trusted-publishing to ship signed malware. The marquee events were the axios compromise (over 100 million weekly downloads, attributed to North Korea), Red Hat's "Miasma" (32 signed @redhat-cloud-services packages), and Megalodon (5,561 GitHub repositories backdoored in a six-hour window).
How many CVEs were published in 2026?
More than 21,000 in the first half alone, on pace to break 2025's record of 48,185 (the FIRST forecast puts the full-year median near 59,000). In April, NIST's National Vulnerability Database stopped enriching CVEs published before March 2026, leaving most security tooling working from a growing backlog.
Is AI-generated code secure?
Largely not. Veracode found 45% of AI-generated code samples contained a vulnerability, with no improvement from newer or larger models. AI also hallucinates non-existent dependencies about a third of the time (enabling "slopsquatting") and commits secrets at roughly twice the human rate.
What is OIDC trusted-publishing abuse?
Trusted publishing signs package releases with short-lived, attested CI identity instead of long-lived tokens, which is a security improvement. In 2026, attackers stole that identity token out of CI runner memory and published their malware through the legitimate path, so it carried valid signatures and SLSA provenance. The lesson: a valid signature proves origin, not safety.
Figures in this report are drawn from the H1 2026 research and reporting of Sonatype, ReversingLabs, JFrog, Endor Labs, GitGuardian, Mandiant (M-Trends 2026), Verizon (DBIR 2026), Google GTIG, CrowdStrike, CyberArk, TRM Labs, Veracode, Anthropic, CISA, and the security vendors and researchers who disclosed the incidents described. Vendor totals measure different things and are not directly comparable; where a figure is contested we have said so or rounded conservatively.