10k GitHub Repos Spreading Trojans, MCP Gets Enterprise OAuth, and Are You in the Weights?

Good morning. It's Friday, June 19, and we're covering a sprawling GitHub malware campaign that evaded detection for over a year, enterprise authentication that just made MCP integrations seamless, and a tool that reveals what AI models "know" about you.

The GitHub malware thread hit 798 points as developers realized the attack vector was embarrassingly simple: clone real repos, add a malicious zip, and wait.

In today's brief:

• 10,000 GitHub repositories caught distributing Trojan malware via SEO manipulation
• Anthropic, Okta, and Microsoft ship Enterprise-Managed Auth for MCP
• A new tool queries models in parallel to show how strongly they recognize your name
• Ubiquiti launches a $4k ZFS-based NAS with no subscription

SECURITY

10,000 GitHub Repos Caught Distributing Trojans

Security researcher Orchid Files documented a campaign where attackers cloned legitimate repositories and injected malicious zip archives into READMEs. The malware - identified as SmartLoader and StealC trojans - remained undetected because links passed VirusTotal scans even when the actual files did not.

The distribution method is what made this scale: attackers deleted and pushed new commits every few hours to appear in "recently updated" search results, added repos to popular GitHub tags, and preserved original commit histories to look legitimate. Some repos existed for over a year without removal.

The HN thread (798 points, 210 comments) surfaced a Disney engineering incident where a downloaded "AI generation tool" granted attackers access to the victim's 1Password vault. GitHub's response has been inconsistent - some malware repos were removed within 24 hours, others sat untouched for months after reports.

Why it matters: The attack exploits a trust assumption: if code is visible and reviewed, it must be safe. But the payload lives in binary downloads, not in the auditable source. This is the same class of supply chain risk that hit Mastra's npm packages earlier this month.

PLATFORMS

MCP Gets Enterprise OAuth

The Model Context Protocol community shipped Enterprise-Managed Authorization (EMA), a specification that eliminates per-app OAuth consent flows. When your company uses Okta, employees get automatic access to authorized MCP servers on first login - no popup consent screens, no personal account confusion.

The collaboration spans identity providers (Okta), clients (Anthropic across Claude, Claude Code, and Cowork; VS Code), and MCP servers (Asana, Atlassian, Canva, Figma, Granola, Linear, Slack, Supabase). The underlying mechanism uses ID-JAG (Identity Assertion JWT Authorization Grant), a new OAuth token format for cross-app access.

The HN discussion (198 points, 66 comments) noted that while the protocol is MCP-branded, the ID-JAG grant type works for any enterprise integration. Implementation details remain rough - Microsoft Entra ID lacks dynamic client registration support, requiring proxies to inject hardcoded client IDs.

Why it matters: This is the plumbing that makes AI assistants "just work" in enterprise environments. IT sets policies once, and MCP connections inherit them. The audit trail problem - knowing which AI accessed what data when - finally has a standards-based answer.

TOOLS

Are You in the Weights?

A new tool queries multiple AI models in parallel to determine how strongly they "recognize" your name. Enter your name, and it runs inference across frontier and smaller models, clustering responses to show where you appear in training data.

The HN thread (348 points, 199 comments) revealed the expected problems: confident hallucinations, misidentification as professional athletes, and fabricated biographical details. One commenter summarized it as "watching a really bad sight reader doing his act."

The tool exposes meaningful differences between models - some recognize names through GitHub contributions, others through academic papers - making training set variations visible. Early privacy issues (all searches appeared on a public leaderboard) were patched after community feedback.

Why it matters: The question of what personal information lives in model weights is moving from abstract to measurable. Tools like this shift the conversation from "models might know about you" to "here's exactly what they get wrong."

INFRASTRUCTURE

Ubiquiti Launches ZFS-Based Enterprise NAS

Ubiquiti announced an 8-core ARM Enterprise NAS with 16-drive capacity, dual 25 Gbps SFP28 ports, and ZFS - priced at $3,999 with no subscription.

The HN thread (343 points, 294 comments) split between ZFS enthusiasts praising the no-recurring-cost model and skeptics citing Ubiquiti's security history (AWS key exposures, camera feed access bugs) and software quality concerns (DHCP issues, firmware updates that "borked networks").

Technical questions remain: whether the ARM cores can saturate 25 Gbps under encryption, and whether spinning disk arrays would ever approach that bandwidth anyway. QNAP comparisons surfaced concerns about proprietary ZFS forks that lock pools to specific vendors.

Why it matters: Enterprise NAS without subscription fees is rare. If Ubiquiti's software quality improves, this could pressure the Synology/QNAP market. If it doesn't, the $4k price tag carries real risk.

WHAT ELSE IS HAPPENING

• Project Valhalla arrives in JDK 28 (131 points): A decade of work on value types and primitive generics finally ships, enabling Java code to eliminate boxing overhead for performance-critical workloads.
• Emacs 31 is around the corner (441 points, 254 comments): Auto-installing tree-sitter grammars, built-in markdown mode, and new window layout commands. Our coverage.
• GDPR forced consent fine: EUR 1.8M (394 points): Five years after warning Elkjop that forced consent was unlawful, the fine landed. The long game on privacy complaints occasionally pays.
• Datasette Apps plugin (80 points): Simon Willison's new plugin hosts sandboxed HTML+JS apps inside Datasette with read-only SQL access. AI-assisted development supported via copyable prompts.
• .gitignore alternatives (424 points): Git's .git/info/exclude and global excludes remain underused for keeping local noise out of shared ignores.
• Anthropic opens Seoul office: New partnerships across the Korean AI ecosystem as Anthropic expands Asia-Pacific presence.

---

Every link above goes to a primary source or our sourced coverage. Tomorrow's brief lands when the news does - subscribe to get it by email.