GitHub expanded the Copilot app technical preview to paid Copilot customers and put local and cloud sandboxes into public preview. The notable shift is not another chat feature: it is execution control for coding agents that can run commands, modify files, and open pull requests.
The Megalodon campaign pushed 5,718 malicious commits into 5,561 GitHub repositories in roughly six hours. The target was not just application code, but GitHub Actions workflows that can expose cloud credentials, CI secrets, and deployment tokens.
GitHub confirmed on May 20, 2026 that threat group TeamPCP exfiltrated approximately 3,800 internal repositories after a GitHub employee installed a trojanized Nx Console VS Code extension that was live on the marketplace for just 11 minutes. Stolen credentials include 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS tokens; TeamPCP is seeking $50,000 for the data on underground forums.
Archestra faced a deluge of AI-generated low-quality contributions: 253 bot comments on a single bounty issue, 27 untested PRs for one feature request. Their solution combines contributor onboarding verification with Git's --author flag to create a barrier that distinguishes AI-assisted human contributions from pure bot spam.
HN did not treat CVE-2026-3854 as just another bug bounty post. What jolted readers was that a normal authenticated git push could be turned into backend code execution, pushing the conversation from exploit technique to platform trust.
HN treated Ghostty’s GitHub exit as more than a forge move. What hit people was the subtext: when even a maintainer with deep GitHub history decides the relationship is no longer worth it, reliability and focus stop sounding like background complaints.
Why it matters: agentic coding stops looking cheap once billing follows actual token burn. GitHub says all Copilot plans switch on June 1, with monthly AI Credits replacing premium requests and a preview bill landing in early May.
The improvement sounds small until you remember where agent products lose trust: waiting. GitHub says its Copilot cloud agent now starts more than 20% faster, building on a 50% startup improvement shipped in March.
GitHub is no longer talking about routine uptime tuning. In its April 28 update, the company said a 10x capacity plan launched in October 2025 had to be reworked for 30x scale by February 2026, after recent incidents hit 230 repositories and 2,092 pull requests.
Hacker News did not focus on the headline that plan prices stay flat. The thread zeroed in on a simpler point: on April 27, 2026, GitHub admitted that long agentic coding sessions cannot be subsidized forever, and predictable Copilot costs are giving way to token math.
This matters because Copilot is no longer priced like a lightweight autocomplete tool. Starting June 1, 2026, GitHub will convert every Copilot plan to token-based AI Credits, end the fallback model safety net, and make code review consume GitHub Actions minutes too.
GitHub is pushing Copilot's agent workflow directly into JetBrains editors, not just the side chat panel, and pairing it with inline previews for Next Edit Suggestions. The bigger governance change is global auto-approve: one switch can approve file edits, terminal commands, and external tool calls across workspaces.