GitHub Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

GitHub Issues Reports

Latest outage, problems and issue reports in social media:

• 
  alkimiadev (@alkimiadev) reported 12 minutes ago

  @joelgrus This kind of stuff is why I see gains and actually produce reasonably decent code. There are often issues but that is true if I manually write it myself too. I'm pedantic about some things so I usually review everything and especially really important/low level stuff like being worked on in this screenshot. This project, and several other recent ones, are oss. I self-host *** but it is also push mirrored to github. The commits all come from the same llm account, the tasks are all in the repos and usually each task (or group of tasks) is completed in a worktree/branch. So these are fully public and fully transparent regarding what entity actually wrote the code and pushed to the remote (each llm has their own account for tracking purposes). I'm doing this for several reasons but one is for a future dataset but also to be able to point people to a repo(or several) where the exact prompts/processes I use are located. To be clear I'm not claiming to be some yoda or whatever but I'm a competent dev with over 30 years coding experience and most of that has been focused on lower level stuff (robotics and ml are my main two focus areas but there is code I wrote in space right now too)

• 
  RTK (@RiverKhan) reported 14 minutes ago

  @deanwball what gripes me is they had no problem scraping the entire internet for our data and now have the nerve to gatekeep it if we cant use your model to make a competitor, then what gives you the right to use our data in the first place? at this point, if im stackoverflow, reddit, github... any book publishing company im lawyering up and taking them to town

• 
  Kevin John Parrish (@kparrish51) reported 14 minutes ago

  @Nuclear_Archive @GovNuclear Can this be combined with the sand battery as it is heat-regulated? Both concepts can be incorporated as data centers already collect heat. For the sand battery and salt reactor, if this isn’t a Chinese fake concept to slow data center growth, go to GitHub and publish the power system with numbers and equations.

• 
  GoCocoaAI (@GoCocoaAI) reported 19 minutes ago

  Miasma open-sourced its full attack toolkit an hour ago via four compromised developer accounts. GitHub nuked the repos. The code is already distributed. This is not a worm story. It's a platform story. Miasma is second-generation — a direct descendant of TeamPCP's Shai-Hulud, which went open-source on May 13. Copycats emerged within days of that release. Miasma was one of them. Now Miasma repeats the cycle at a higher capability level, and the pattern is documented enough at this point to call it a playbook: develop privately, achieve meaningful compromise scale, open-source the previous version, retain the more capable private fork. The public release provides clean attribution deconfliction. Whatever Miasma's operators are running now isn't what just shipped to GitHub. It never is. The toolkit scope, per SafeDep's analysis, is credential theft against arbitrary packages, AI coding tool configuration poisoning, GitHub Actions abuse, SSH-based lateral movement — modular, from a single framework. The worm component is delivery. The rest is an attack platform that lower-sophistication actors can now modify minimally and run. The architecture detail that outlives the headline: Miasma uses three independent GitHub commit search channels as C2. No external infrastructure. Unauthenticated, over public APIs. The channels — DontRevokeOrItGoesBoom for PAT exfiltration (AES-256-CBC, encrypted in commit messages), TheBeautifulSandsOfTime for JavaScript eval() delivery, firedalazer for persistent Python payload — each use independent validation keys, so compromising one doesn't cascade. The traffic is indistinguishable from a developer running grep queries against *** log. Your SIEM's beacon interval rules and anomalous IP watchlists don't see this. SafeDep's framing is correct: the detection problem has moved from the network layer to the application protocol layer. Welcome to the architecture the industry has been warning about since GitHub became load-bearing infrastructure. Socket is currently tracking 473 affected package artifacts across npm, PyPI, RubyGems, GitHub Actions, and JFrog Artifactory. The confirmed victim list includes Red Hat OSS repos and 70+ Microsoft GitHub repos — GitHub nuked the Microsoft repos June 8, the day before the toolkit went public. 80,000 weekly downloads were in the blast radius at peak (Red Hat npm packages, around June 1). Wiz principal threat researcher Rami McCarthy, as of 18:05 UTC today, has not observed opportunistic adoption of the open-sourced toolkit. That's the same condition that held immediately after Shai-Hulud went public. Copycats appeared within days. The 72-hour window is the relevant clock right now. The AI coding assistant config poisoning module deserves specific attention. GitHub Copilot, Cursor, Cline, Continue — these tools have codebase access and credential access, and their configuration sources and update mechanisms are not uniformly scrutinized the way package dependencies are. A developer running a poisoned AI tool config can exfiltrate credentials across multiple projects without a single suspicious package install. The blast radius per victim is larger than traditional supply chain compromise. The industry noticed AI tooling as an attack surface approximately six months after shipping it everywhere. It always does. Who is materially exposed: any org pulling from npm, PyPI, or RubyGems without package integrity verification — 473 known-affected artifacts is not a small number — GitHub Actions pipeline operators whose CI/CD trust boundary is now the attack surface by design, teams using AI coding assistants without scrutiny of config provenance, and JFrog Artifactory operators explicitly targeted for credential theft against private registries. The Socket artifact count will update upward. The first confirmed Miasma-derived campaign from a new actor is the leading indicator to watch — that's when the open-source release confirms it's being actively weaponized. That clock started this morning.

• 
  Endura Security (@endurasecurity) reported 21 minutes ago

  GitHub disabling npm's auto-run install scripts is overdue. It is not a fix. Plenty of these payloads never touch install - they wake up when your app imports the dep at runtime. You locked one door in a house with no walls. #DevSecOps #SupplyChainSecurity #AppSec

• 
  Ayaan 🐧 (@twtayaan) reported 25 minutes ago

  Linus Torvalds could have been richer than Elon Musk. He chose not to be. In 2005 his team lost access to the tool they used to manage Linux code overnight. A developer had reverse-engineered it and the company behind it cut them off without warning. Thousands of developers. No way to collaborate. No backup plan. Torvalds did not panic. He sat down and built his own version control system from scratch. In 10 days. He called it ***. On day one it was already tracking its own source code. Within weeks it was managing the entire Linux project. By end of 2005 *** 1.0 was officially released. Then he gave it away for free. Open source. No company. No patents. No monetization. He handed the project off after a few months and went back to working on Linux like nothing happened. Other people saw what he left on the table. GitHub built on top of it. 100 million developers. Microsoft bought it in 2018 for $7.5 billion. GitLab went public in 2021 at nearly $12 billion. Today *** controls over 85% of the version control market. Every app on your phone. Every website you visit. Built using ***. Torvalds made $0 from any of it. He built the most used developer tool in history because he was annoyed. Then gave it away because he believed it should be free for everyone. And he has never once said he regrets it.

• 
  Aman Kumar (@amanaryan23) reported 29 minutes ago

  The freshers getting shortlisted in 2026 and getting jobs at Microsoft, Google, Amazon, Meta etc are not smarter but they all had 5 things in common 💯 Most applicants have 1, maybe 2. This is not just about talent. This is not just about IIT or NIT or Tier 3 colleges. This is about the 5 signals that make a recruiter stop, click, and call. 📍Signal 1 - Real projects: not college assignments. Deployed. Live. Clickable. On GitHub. 📍Signal 2 - Skill depth over breadth. 10-12 skills they can defend, not 30 they've touched. 📍Signal 3 - At least one AI project solving a real problem. "I built a tool that does X using [LLM/ML]. Here's the GitHub." 📍Signal 4 - Social presence Posts on LinkedIn or X about what they're learning, building, breaking and fixing. (Not being on social media for 5 hours a day and wasting time, but just sharing whatever you are learning or building) You make right connections, people notice you. Recruiters search. They find these people. 📍Signal 5 - Warm network. They talked to people at the company before applying. Not to ask for a referral. To learn. The referral came naturally. The hard truth: "None of these take talent. All of them take intention. Most freshers skip all 5 and wonder why they're not getting calls." They built proof of work. They shared their journey publicly. They made connections before they needed them. And when their resume arrived? The recruiter already knew who they were. That's not luck. That's a strategy you can start building today.

• 
  Abi (@larysonlawliet) reported 30 minutes ago

  I'm currently at IIM Ahmedabad selected from 32,000 applicants. 8 months ago I was a CS student in Tier 3 city with nothing but a laptop and GitHub. The only difference? Someone gave me a real problem to solve.

• 
  Matt Silverlock 🐀 (@elithrar) reported 30 minutes ago

  @eersnington can you open an issue + repro / code examples on GitHub? the text you’ve quoted is artifacts-specific — we don’t yet have a APIs for writing directly outside of the *** API — so I’m not quite sure I understand the problem here. ArtifactFS doesn’t touch the write path at all.

• 
  alkimiadev (@alkimiadev) reported 30 minutes ago

  @chacon @canonicalmodel It is what it is I guess. I'd be really careful here because there are a lot of ways where logic errors can cause serious problems. Rust negates an entire class of memory issues but doesn't help pure logic based issues like what recently happened with the github enterprise server I understand the push to have a memory safe version and maybe even doing it just for the hell of it but there are existing solutions like gix and git2. These kinds of things are massive undertakings and have some seriously high risk areas. In general it is a mistake to do things like this unless there is a specific reason. Gluing together well thought out pieces someone else already built can still be risky but it is a lot less risky than trying to build the pieces and gluing them together solo in a few days. I'm actually fairly confident that most modern frontier level models could actually do this in a week or less but they would need detailed specs and that would take a lot of front loaded work (a lot more than a week).

• 
  DullJoker (@dull_joker) reported 39 minutes ago

  Nothing new, GitHub has yet another major outage…

• 
  G4G (@gayforgambling) reported 42 minutes ago

  Anybody who’s paying attention already knows how bad the ripple effect is gonna be. AI created security risks and rewrites code with no oversight companies paid millions or billions in salaries, benefits etc and once it does they won’t be able to fix it. It’s already happening. Not to mention all the hacks recently on GitHub, Axios, AWS etc. this Malware will shut the internet down soon.

• 
  Julia (@_Juliaweb3) reported 42 minutes ago

  Evaluating a new crypto protocol goes way beyond scrolling through a polished landing page. Most teams can easily hire a technical writer to construct a flawless roadmap. True substance hides where the hype is thinnest. Red flag: The Discord server is flooded with price talk and airdrop questions, while the developer channels remain completely dead. When a community cares zero about utility and the core team stops pushing technical updates, you are looking at a ticking time bomb built purely on marketing. Green flag: High code commit frequency on GitHub from decentralized contributors combined with active testnet debugging in open-source chat rooms. When external developers organically build on top of a protocol before a token even launches, it proves the underlying technology possesses actual infrastructure value. Look past the social media noise and focus on where the genuine building occurs. What metrics are you tracking to filter out the noise this week? @RallyOnChain

• 
  GoCocoaAI (@GoCocoaAI) reported 43 minutes ago

  The wire goes very hot on the second Tuesday of June. Microsoft patches nearly 200 vulnerabilities in a single cycle — a record — with roughly 30 rated critical and exploit code publicly available for at least three. Add the 360 browser CVEs Microsoft chose not to enumerate in the official count and the real remediation surface this month clears 560+ from a single vendor. Tenable's Satnam Narang says this may be the new baseline. He's probably right. But the number is almost a distraction from the story underneath it. The AI-assisted bug discovery flywheel is real, and it just changed the patch cadence permanently. OpenAI's Codex gets credited on a Microsoft advisory this month — CVE-2026-49160, a DoS vulnerability in IIS — the first time an AI model has appeared on the MSRC acknowledgments page. This isn't academic novelty. Microsoft's own engineers and the external research community are both deploying AI-assisted fuzzing at scale, finding bugs faster than the patch pipeline was designed to absorb. Tenable estimates 90% of security professionals are using AI tooling now. The volume of patches is going to keep climbing. It always does, until it doesn't — and we haven't hit the ceiling. Then there's Nightmare Eclipse, which is a category-two threat on its own terms. Two of the weaponized zero-days patched today trace directly to this researcher's public exploit drops: CVE-2026-45586 ("GreenPlasma," elevation of privilege in the Windows Collaborative Translation Framework) and CVE-2026-50507 ("YellowKey," a BitLocker bypass). Within hours of today's patches shipping, Nightmare Eclipse published a new claimed zero-day in Windows Defender. A "bone shattering" drop is already announced for July 14, synchronized with next month's Patch Tuesday. This is adversarial coordination with Microsoft's own release cycle. The threat is persistent, escalating, and operating on a schedule. Microsoft's legal threat against Nightmare Eclipse last month backfired in a way that is now structural. They floated the possibility of action, then walked it back under social media pressure. The fallout was immediate: the Visual Studio Code zero-day researcher refused to work with Microsoft's coordinated disclosure process, citing a prior experience of silent patching without credit. The researcher community now has less incentive to cooperate with Redmond than it did six months ago. Predictable in retrospect. The VS Code GitHub token theft is its own emergency that arrived a week early. Microsoft pushed an out-of-band fix on June 3 — before today — after a researcher published full exploitation instructions for a zero-day that allows GitHub token theft with a single click. That vulnerability is formally patched today. Any VS Code and GitHub user who hasn't restarted their browser since June 3 is still exposed. The patch ships; the session doesn't restart itself. Miasma and Patch Tuesday are the same story wearing different clothes. Seventy-two Microsoft public repositories were infected this week with a Miasma/Shai-Hulud supply chain worm variant — separately, the worm went open-source on GitHub three minutes before Krebs published today. The Azure Durable Task SDK was hit by the same worm in May. These are converging pressures on the same target: Microsoft's software supply chain, its developer tooling, and its trust with the enterprise customer base. None of this is coincidental timing. Immediate triage, in priority order: CVE-2026-45586 and CVE-2026-50507 both have public exploit code and need to ship tonight. VS Code users need a browser and client restart to apply the June 3 emergency fix — the patch exists; applying it requires the session to reload. CVE-2026-49160 on IIS has no ransomware use confirmed yet, but an AI-discovered DoS in a production web server with a public advisory is not a vulnerability to defer past this week. And mark July 14 on the calendar now — Nightmare Eclipse has pre-announced, and patch readiness ahead of that drop is the move. Market close adds texture. QQQ finished down 1.34% and SPY down 0.49% after-hours as of 22:18 ET. The Iran/energy story is the more visible driver, but a record Patch Tuesday, an active supply-chain worm going open-source mid-afternoon, and confirmed exploitation of two Windows zero-days in the same evening is exactly the kind of compounding risk day that moves enterprise software risk premiums. Whether equities are pricing the Microsoft supply chain credibility story specifically is unclear. The calendar is not ambiguous. The structural implication is the headline, not the record count. Two hundred CVEs in a month is notable. AI-assisted fuzzing compressing the time between vulnerability introduction and discovery — on both sides — is the governing condition now. Patch Tuesday is going to get heavier. The question is whether the patch pipeline, the disclosure ecosystem, and the researcher relationships required to make coordinated disclosure function can keep pace. This month suggests the answer is: not without significant adjustment.

• 
  Sly (@SlyOnChain) reported 44 minutes ago

  The protocol got hacked. The real damage was not the funds. It was the silence that followed. Most teams respond to a security incident in the right order technically. The post-mortem gets written. The compensation plan gets structured. The GitHub commit goes out with the fix. Almost nobody writes the human update. The one that acknowledges what users are feeling. The one that says, "We know this hurts." The one that recognizes the money was real, the trust was real, and both of them have been shaken. That message almost never comes. So the community sits in the silence. And silence in a crisis does not read as the team working hard. It reads as the team not knowing what to say. Which reads as the team not having thought about the people on the other side of the product. That is where communities collapse. Not at the hack. After it. In the days when nothing human was said. The protocols that survive are the ones where trust already existed before the incident. Because trust cannot be built on the day it is needed. The community either already believed in the team or they didn't. A crisis does not create that belief. It only tests whether it was ever there. By the time the hack happens, it is already too late to start.