Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Snyk: Removing Malware with GitHub Token Deadman Switch

Snyk
06/18/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


service that monitors whether your stolen github token has been revoked. On Linux it registers as a systemd user service. On macOS it registers as a launch agent. If it detects the token was revoked, it destroys your home directory. So you want to disable the monitor service first, then rotate credentials second, in that order. You can see how to disable the monitor service for your respective operating system on screen here, or you can check for more details in the blog shared in the description below. After the deadman switch is gone, remove the editor persistent hooks. The worm writes itself into two places, your Claude code project settings, and your VS code workspace tasks. Both are designed to re-execute the payload every time you open up either tool. Also, check for deaddrop commits authored under the fake identity the attacker used, which was a claude at no reply dot github dot com type of address. That email is the attacker impersonating the anthropic claude github app. Any commits from that identity in your repo are likely malicious. And with that, you have neutralized the persistence mechanism of this attack. You can safely move on to handling your credentials now.

TL;DR

  • Malware installs a deadman switch that destroys your home directory if it detects GitHub token revocation, making remediation order critical for data safety
  • First disable the monitor service (systemd on Linux, launch agent on macOS), then rotate credentials second to prevent triggering the destructive payload
  • Remove persistence mechanisms from Claude Code project settings and VS Code workspace tasks, and check for malicious commits from claude@noreply.github.com identity

Summary

This security advisory provides critical remediation steps for a sophisticated malware attack targeting developers through VS Code and Claude Code editors. The malware installs a deadman switch mechanism that monitors stolen GitHub tokens and destroys the user's home directory if token revocation is detected. The attack establishes persistence through systemd services on Linux, launch agents on macOS, and editor hooks in both Claude Code project settings and VS Code workspace tasks. Remediation must follow a specific sequence: first disable the monitoring service, then rotate credentials, remove editor hooks, and finally check for malicious commits authored under a fake Anthropic identity. The video emphasizes that following the correct order is essential to prevent data loss during the cleanup process.

Chapters

0:00 - Understanding the Deadman Switch
0:16 - Correct Remediation Order
0:30 - Removing Editor Persistence Hooks
0:43 - Identifying Malicious Commits

Key Quotes

0:00 "... remediation order is not optional. The malware installs a deadman switch, basically a background service that monitors whether your stolen GitHub token has been revoked."
0:16 "If it detects the token was revoked, it destroys your home directory. So you want to disable the monitor service first, then rotate credentials second, in that order."
0:48 "That email is the attacker impersonating the Anthropic claude GitHub app. Any commits from that identity in your repo are likely malicious."

FAQ

Why can't I just revoke my GitHub token immediately if it's been stolen?

The malware includes a deadman switch that monitors whether your token has been revoked. If it detects revocation before you disable the monitoring service, it will destroy your home directory. You must disable the monitor service first, then rotate credentials second.


Categories:
  • » Cybersecurity » Application Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Application Security
  • DevSecOps
  • Threat Intelligence
  • How-To
  • malware remediation
  • GitHub token security
  • VS Code security
  • Claude Code security
  • deadman switch attacks
  • persistence mechanisms
  • developer security
  • credential rotation
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Snyk: Removing Malware with GitHub Token Deadman Switch

              Upcoming Webinar Calendar

              • 06/23/2026
                01:00 PM
                06/23/2026
                The AI-Powered VMware Alternative
                https://www.truthinit.com/index.php/channel/2009/the-ai-powered-vmware-alternative/
              • 06/24/2026
                11:00 AM
                06/24/2026
                LATAM: Accelerating Insights on AI Through an Engaging Webinar Series
                https://www.truthinit.com/index.php/channel/2012/accelerating-insights-on-ai-through-an-engaging-webinar-series/
              • 06/25/2026
                01:00 PM
                06/25/2026
                Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier
                https://www.truthinit.com/index.php/channel/1998/generative-ai-security-preventing-ai-from-becoming-a-data-breach-multiplier/
              • 06/30/2026
                01:00 PM
                06/30/2026
                Mastering Active Directory Certificate Services for Long-Term Success
                https://www.truthinit.com/index.php/channel/2018/mastering-active-directory-certificate-services-for-long-term-success/
              • 07/01/2026
                04:00 AM
                07/01/2026
                Integrating Security in AI: Automated Red Teaming Strategies for Private Models
                https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
              • 07/01/2026
                04:00 AM
                07/01/2026
                Schutz von KI in Anwendungen, Agenten und APIs.
                https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
              • 07/01/2026
                01:00 PM
                07/01/2026
                How to Prevent Your AI from Taking Control of You
                https://www.truthinit.com/index.php/channel/2021/how-to-prevent-your-ai-from-taking-control-of-you/
              • 07/02/2026
                10:00 AM
                07/02/2026
                When the cloud goes dark: Resilience lessons from hybrid threats
                https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-when-the-cloud-faces-challenges/
              • 07/07/2026
                01:00 PM
                07/07/2026
                A Comprehensive Demonstration of DLP Solutions and Strategies
                https://www.truthinit.com/index.php/channel/2030/a-comprehensive-demonstration-of-dlp-solutions-and-strategies/
              • 07/09/2026
                01:00 PM
                07/09/2026
                Agentic Trust in Practice: Enhancing the Human Experience
                https://www.truthinit.com/index.php/channel/2026/agentic-trust-in-practice-enhancing-the-human-experience/
              • 07/14/2026
                11:00 AM
                07/14/2026
                Discover the Latest Innovations in Netwrix 1Secure During This Technical Session
                https://www.truthinit.com/index.php/channel/2014/discover-the-latest-innovations-in-netwrix-1secure-during-this-technical-session/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers Revealed at the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-revealed-at-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection Practices
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection-practices/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jun
                23

                The AI-Powered VMware Alternative

                06/23/202601:00 PM ET
                • Jun
                  24

                  LATAM: Accelerating Insights on AI Through an Engaging Webinar Series

                  06/24/202611:00 AM ET
                  • Jun
                    25

                    Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier

                    06/25/202601:00 PM ET
                    • Jun
                      30

                      Mastering Active Directory Certificate Services for Long-Term Success

                      06/30/202601:00 PM ET
                      • Jul
                        01

                        Schutz von KI in Anwendungen, Agenten und APIs.

                        07/01/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version