LiquidJS RCE, a Trojanized npm Package, and GitHub Copilot's Billing Overhaul
This week delivered a brutal reminder that the software supply chain is under siege from every angle — while the AI tools meant to protect and empower developers are simultaneously becoming more powerful and more dangerous to use carelessly.
A maximum-severity remote code execution vulnerability in a JavaScript template engine with 7.3 million monthly downloads. A Trojanized npm package masquerading as an OpenAI Codex UI tool that silently siphons refresh tokens from 27,000 weekly users. A Palo Alto Networks VPN flaw that attackers are already exploiting in the wild to breach corporate networks. These are not theoretical risks — they are active threats unfolding right now.
Meanwhile, the AI development landscape shifted dramatically on both sides. GitHub Copilot completely overhauled its billing model today, switching every plan to token-based AI Credits. Anthropic shipped Claude Opus 4.8 with a feature that lets developers orchestrate up to 1,000 parallel subagents for massive codebase migrations. The message is clear: the tools are getting exponentially more capable, and so are the attacks targeting them.
How Did a Template Engine Earn a Perfect CVSS 10.0?
Security researchers disclosed CVE-2026-45618, a remote code execution vulnerability in LiquidJS — a JavaScript port of Shopify's Liquid templating language — carrying a maximum CVSS score of 10.0. The flaw is deceptively simple: during filter evaluation, the template engine inadvertently exposes its internal execution context through the valueOf method. An attacker who controls template input can overwrite critical properties like this.loader.lookup and this.readFile, chain through to the JavaScript Function constructor, and execute arbitrary system commands.
The practical impact is enormous. LiquidJS boasts over 7.3 million monthly downloads and is widely used by developers porting Shopify, Jekyll, or GitHub Pages templates to Node.js environments. Any application rendering user-controlled templates with LiquidJS versions 10.25.7 or below is vulnerable to complete system takeover. The fix is available in newer versions, but the sheer number of potentially affected downstream projects — from static site generators to e-commerce platforms — makes this one of the most widespread critical vulnerabilities disclosed this year.
This disclosure follows a pattern we've tracked extensively: the dev tools ecosystem has become a primary attack surface. Template engines, linters, transpilers, and build tools — the invisible infrastructure that developers trust implicitly — are increasingly targeted because they process untrusted input by design and run with the full privileges of the development environment.
The npm Supply Chain Attack Nobody Noticed Until It Was Too Late
In a textbook supply chain attack, security researchers at Aikido discovered that codexui-android — an npm package marketed as a remote web UI for OpenAI Codex — was secretly exfiltrating authentication tokens from every developer who installed it. The package had accumulated roughly 27,000 weekly downloads before the malicious behavior was uncovered on May 27, 2026.
What makes this attack particularly insidious is its sophistication. The attackers didn't rely on typosquatting or account hijacking — they built a genuinely useful tool to establish a real user base before weaponizing it. More critically, the malicious code only appeared in the published npm package, not in the public GitHub repository. A standard source code audit would find nothing wrong, because the compromised code was injected during the publishing step.
Upon installation, the hidden script immediately scans for auth.json files and extracts access_token, id_token, and refresh_token credentials. The stolen data is transmitted to an endpoint disguised as Sentry telemetry. Most dangerously, OpenAI refresh tokens don't expire — meaning a single theft grants attackers permanent access to the victim's account, API usage, and billing. This is not a credential theft that can be remediated with a password reset. The damage is irreversible unless the victim manually revokes the compromised token through OpenAI's dashboard.
As we documented in our coverage of the broader supply chain security crisis hiding in AI infrastructure, the npm ecosystem remains the weakest link in the modern development pipeline. The codexui-android incident proves that attackers are investing in long-game strategies — building legitimate-seeming packages, accumulating trust, and striking only when the user base is large enough to maximize the harvest.
GitHub Copilot's Billing Revolution: What Changes Today
Starting today, GitHub Copilot switched every plan from the Premium Request Unit (PRU) billing model to a new token-based AI Credits system. One AI Credit equals $0.01 of value, and inline code completion remains completely free across all plans — including the free tier. The metered features are chat sessions, agent sessions, and CLI commands, which now draw from a monthly credit allowance tied to your subscription tier.
The new allocation structure gives Copilot Pro subscribers 1,000 credits per month (at $10/month), while Copilot Pro+ gets 3,900 credits per month. Business and Enterprise customers receive promotional bonus credits through August 2026 as part of the transition. This is a fundamental shift in how developers budget for AI-assisted development — moving from opaque unit-based consumption to a transparent, dollar-denominated credit system.
The timing is not coincidental. Microsoft's Build conference opens tomorrow in San Francisco, where the company is expected to announce a suite of internally developed AI models called MAI (Microsoft AI) — including a coding-specialized model designed to compete directly with Anthropic's Claude Code, which has overtaken Copilot as the dominant enterprise developer AI tool. Microsoft confirmed that Copilot now generates 46% of all code committed to GitHub, up from 40% in November 2025, underscoring how deeply AI has penetrated the developer workflow.
Claude Opus 4.8: The Model That Migrates Codebases
Anthropic released Claude Opus 4.8 on May 28, just 41 days after Opus 4.7 — maintaining the same pricing at $5 per million input tokens and $25 per million output tokens. The headline improvement is a dramatic increase in honesty: Anthropic reports that Opus 4.8 is four times less likely to produce false statements about its own code compared to the previous version, scoring 0% on the "uncritically reporting flawed results" metric.
But the most architecturally significant feature is Dynamic Workflows in Claude Code, which enables orchestration of up to 1,000 parallel subagents for tackling large-scale development tasks. The proof of concept is remarkable: Jarred Sumner, the creator of the Bun JavaScript runtime, used Opus 4.8 to migrate 750,000 lines of Rust code in just 11 days. A fast mode is also available, offering 2.5x speed improvements at three times the cost efficiency of Opus 4.7's fast mode.
Opus 4.8's benchmarks are equally impressive — it achieves an 88.6% on SWE-bench Verified and is described by Anthropic as the only model to complete every case end-to-end on the Super-Agent benchmark, beating prior Opus models and GPT-5.5 at cost parity. For developers working on large-scale refactoring, multi-service migrations, or complex debugging sessions, the multi-agent orchestration shift that Opus 4.8 represents is a genuine productivity multiplier.
Palo Alto GlobalProtect VPN Under Active Attack
Palo Alto Networks confirmed that the authentication bypass vulnerability in PAN-OS GlobalProtect VPN — tracked as CVE-2026-0257 — is being actively exploited in the wild. According to Rapid7, attackers have been targeting multiple corporate customers since May 17, 2026, forging authentication override cookies to impersonate local administrator accounts and gain direct access to internal networks through the VPN.
The attack vector is particularly concerning because it targets one of the most widely deployed enterprise VPN solutions globally. Once authenticated through the forged cookie, an attacker can establish a full VPN tunnel into the victim's corporate network, bypassing perimeter security controls entirely. CISA has already added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, mandating that federal agencies patch within a defined timeframe. For organizations running PAN-OS, this is a patch-immediately situation — the window between disclosure and weaponization has collapsed to days, not weeks.
This vulnerability is part of a broader trend we've tracked across enterprise security products becoming attack vectors themselves. As organizations invest more heavily in perimeter defenses, attackers are increasingly targeting those defenses directly — finding and exploiting vulnerabilities in the very tools designed to protect the network. VPN concentrators, firewalls, and security appliances have become some of the highest-value targets in enterprise networks precisely because they sit at the boundary between trusted and untrusted territory.
The Takeaway
What connects these five stories is a single, accelerating trend: the attack surface of modern development has become inseparable from the development tools themselves. Template engines, package managers, AI coding assistants, and VPN appliances — the infrastructure that developers depend on daily — are simultaneously the most powerful tools available and the most actively exploited entry points for attackers.
Claude Opus 4.8 can orchestrate a thousand subagents to migrate 750,000 lines of code, but a single poisoned npm package can steal the credentials that grant access to everything that code touches. GitHub Copilot now transparently prices AI assistance by the token, but Palo Alto's VPN — meant to guard the perimeter — can be bypassed with a forged cookie. The dual nature of these tools is not a paradox; it's the defining challenge of software development in 2026. The organizations that will thrive are those that recognize this reality and build security into their development workflow — not as an afterthought, but as a first-class constraint alongside functionality and performance.
Comments ()