On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories. Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.

We moved quickly to reduce risk. We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first.

We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.

We will publish a fuller report once the investigation is complete.

The post Investigating unauthorized access to GitHub’s internal repositories appeared first on The GitHub Blog.

Windows Insider Program

• Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in
• Task Manager, multi-app camera support, Magnifier improvements.
• Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time.

Enshittification remedies all around

• Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative!
• Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place.
• A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so...
• ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11
• Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser.

Hardware

• Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod

Surface

• Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices.
• Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa.

AI

• MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only.
• Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit.
• OpenAI and Apple might head to court over Siri promises
• OpenAI Codex is on mobile via the ChatGPT app
• Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways:
• Overview of the major announcements
  • Google advances Android as a developer platform
  • Chrome is turning into a proactive assistant
  • Google AI subscriptions are an incredible value
  • Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc.
• Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically
• More dev
  • WWDC schedule is up for June 8 opening day
  • Build 2026 kicks off June 2 in SFO
  • After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime.
  • And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week.

Xbox and Gaming

• Next Xbox Elite controller leaks and it is glorious
  • Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious.
• Forza Horizon 6 is here, and itʼs on Game Pass on Day One.
  • Be sure to read Laurentʼs detailed review.
• Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand.
  • Sony is allegedly returning to this model for single player experiences
  • Related: Sony raises prices on PS Plus
• Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason.

Tips and Picks

• Tip of the week: Google AI Studio.
• Vibe-code your next app with this incredible free tool.
• Related: A look at Markdown editors.

App pick of the week: DeskScapes 2026

• Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period.
• Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch
• RunAs Radio this week: UEFI Secure Boot with Richard Hicks
• Brown liquor pick of the week: Daftmill Winter Batch Release

These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984

Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell

Sponsors:

• outsystems.com/twit
• trustedtech.team/windowsweekly365
• zscaler.com/security

In this episode, Rob Moffat, author of Risk-First Software Development and chief technical architect at the FinTech Open Source Software Foundation (FINOS), speaks with host Brijesh Ammanath about how all of software development is actually risk management. Rob introduces the concept of 'risk-first software development,' which sits in the context of existing methodologies like scrum and kanban. Showcasing multiple real-world project patterns to illustrate how things can go wrong when risk is ignored, he makes the case for why risk should be the primary lens behind every development decision, from architecture to prioritization. Through various examples, he shows how every developer action can be viewed as a risk trade-off and why making that explicit can lead to better outcomes. The conversation takes a deep dive into the risk-first framework and how teams can apply it in their existing processes.

This was another live audience recording, hosted once again at the DDD South West conference in Bristol (UK) - two years on from the first live panel we recorded there. I was joined by a panel of speakers, and this time the conversation focused specifically on what AI means for software developers. After introductions, we dug into whether AI is going to take our jobs, how much code we actually still hand-write, whether (and how) we review every line of AI-generated code, what's going to happen to programming languages, and what advice the panel had for developers just starting out.

For a full list of show notes, or to add comments, please see the website here

Scott talks with Aran Khanna, co-founder and CEO of Archera, about a new category of cloud financial tooling: "Insured Commitments." Instead of locking into 1- or 3-year reserved instance contracts and hoping your usage matches, Archera offers commitments as short as 30 days. They get into the economics of cloud purchasing, how AI workloads are changing capacity planning, and what FinOps looks like in 2026.

http://archera.ai